User manual
20: Configuring firewall
_______________________________________________________________________________________________________
limit string no (none)
Maximum average matching rate; specified
as a number, with an optional /second,
/minute, /hour or /day suffix.
Example3/hour.
limit_burst integer no 5
Maximum initial number of packets to match;
this number gets recharged by one every
time the limit specified above is not reached,
up to this number.
extra string no (none)
Extra arguments to pass to iptables, this is
mainly useful to specify additional match
options, like -m policy --dir in for IPSec.
20.6 Includes
It is possible to include custom firewall scripts by specifying one or more include
sections in the firewall configuration.
There is only one possible parameter for includes:
Name Type Required Default Description
path file name yes /etc/firewall.user
Specifies a shell script to execute on boot
or firewall restarts.
Included scripts may contain arbitrary commands, for example advanced
iptables rules or tc commands required for traffic shaping.
When writing custom iptables rules use –I (insert) instead of –A (append) to
ensure that the created rules appear before the generic ones.
20.7 IPv6 notes
As described above, the option family is used for distinguishing between IPv4,
IPv6 and both protocols. However, the family is inferred automatically if IPv6
addresses are used, for example is automatically treated as IPv6 only rule:
config rule
option src wan
option src_ip fdca:f00:ba3::/64
option target ACCEPT
Similarly, such a rule is automatically treated as IPv4 only.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 133 of 255