User manual

ManualsBrandsvirtual access ManualsComputer equipmentGW1000

121

122

123

124

125

126

127

128

129

130

20: Configuring firewall

_______________________________________________________________________________________________________

zone, if omitted, the value of name is used

by default.

masq boolean no 0

Specifies whether outgoing zone traffic

should be masqueraded (NATTED) - this is

typically enabled on the wan zone.

masq_src

list of

subnets

no 0.0.0.0/0

Limits masquerading to the given source

subnets. Negation is possible by prefixing

the subnet with !, multiple subnets are

allowed.

masq_dest

list of

subnets

no 0.0.0.0/0

Limits masquerading to the given

destination subnets. Negation is possible

by prefixing the subnet with!, multiple

subnets are allowed.

conntrack boolean no

1if

masquerading

is used, 0

otherwise

Forces connection tracking for this zone.

mtu_fix boolean no 0

Enables MSS clamping for outgoing zone

traffic.

input string no DROP

Default policy (ACCEPT, REJECT, DROP)

for incoming zone traffic.

forward string no DROP

Default policy (ACCEPT REJECT, DROP) for

forwarded zone traffic.

output string no DROP

Default policy (ACCEPT REJECT, DROP) for

outgoing zone traffic.

family string no any

Defines protocol family (ipv4, ipv6 or any)

to generate iptables rules for.

log boolean no 0

Creates log rules for rejected and dropped

traffic in this zone.

log_limit string no 10/minute

Limits the amount of log messages per

interval.

20.3 Forwarding sections

The forwarding sections control the traffic flow between zones and can enable

MSS clamping for specific directions. Only one direction is covered by a

forwarding rule. To allow bidirectional traffic flows between two zones, you need

two forwardings, with src and dest reversed in each.

The table below shows allowed options within forwarding sections:

Name Type Required Default Description

src

zone

name

yes (none)

Specifies the traffic source zone, must refer to

one of the defined zone names.

dest

zone

name

yes (none)

Specifies the traffic destination zone, must

refer to one of the defined zone names.

family string no any

Defines protocol family (ipv4, ipv6 or any) to

generate iptables rules for.

_______________________________________________________________________________________________________

GW1000 Series User Manual

Issue: 2.4 Page 130 of 255