Manualshelf

User manual

ManualsBrandsvirtual access ManualsComputer equipmentGW1000
121122123124125126127128129130
20: Configuring firewall
_______________________________________________________________________________________________________
20 Configuring firewall
The firewall itself is not required. It is a set of scripts which configure netfilter. If
preferred, you can use netfilter directly to achieve the desired firewall behaviour.
Note: the UCI firewall exists to simplify the configuration of netfilter (for many
scenarios) without requiring the knowledge to deal with the complexity of
netfilter.
The firewall configuration consists of several zones covering one or more
interfaces. Allowed traffic flow between the zones is controlled by forwardings.
Each zone can include multiple rules and redirects.
Below is an overview of the section types that may be defined in the firewall
configuration. A minimal firewall configuration for a router usually consists of
one defaults section, at least two zones (LAN and WAN) and one forwarding to
allow traffic from LAN to WAN. Other sections that exist are redirects, rules and
includes.
20.1 Defaults section
The defaults section declares global firewall settings which do not belong to any
specific zones. The following options are defined within this section:
Name
Type
Required
Default
Description
syn_flood boolean no 1 Enables SYN flood protection.
drop_invalid boolean no 1
Drops packets not matching any active
connection.
disable_ipv6 boolean no 0 Disables IPv6 firewall rules if set to 1.
input string no DROP
Default policy (ACCEPT, REJECT, DROP) for
the INPUT chain.
forward string no DROP
Default policy (ACCEPT, REJECT, DROP) for
the FORWARD chain.
output string no DROP
Default policy (ACCEPT, REJECT, DROP) for
the FORWARD chain.
20.2 Zones section
A zone section groups one or more interfaces and serves as a source or
destination for forwardings, rules and redirects. Masquerading (NAT) of outgoing
traffic is controlled on a per-zone basis.
The options below are defined within zone sections:
Name Type Required Default Description
name
zone
name
yes (none) Sets the unique zone name.
network list no (none) Defines a list of interfaces attached to this
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 129 of 255