Differences

This shows you the differences between two versions of the page.

doc:uci:firewall [2014/08/22 17:21]
zorun Fix SSH redirection example
doc:uci:firewall [2014/10/10 11:52] (current)
mwarning
Line 119: Line 119:
| ''reflection'' | boolean | no | ''1'' | Activate NAT reflection for this redirect - applicable to ''DNAT'' targets. | | ''reflection'' | boolean | no | ''1'' | Activate NAT reflection for this redirect - applicable to ''DNAT'' targets. |
| ''reflection_src'' | string | no | ''internal'' | The source address to use for NAT-reflected packets if ''reflection'' is ''1''. This can be ''internal'' or ''external'', specifying which interface’s address to use. Applicable to ''DNAT'' targets. | | ''reflection_src'' | string | no | ''internal'' | The source address to use for NAT-reflected packets if ''reflection'' is ''1''. This can be ''internal'' or ''external'', specifying which interface’s address to use. Applicable to ''DNAT'' targets. |
-| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Example: ''3/hour''. |+| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Examples: ''3/second'', ''3/sec'' or ''3/s''. |
| ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' | | ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' |
| ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. | | ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. |
Line 163: Line 163:
| ''set_xmark'' | ::: | ::: | ::: | Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed | | ''set_xmark'' | ::: | ::: | ::: | Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed |
| ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. | | ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. |
-| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Example: ''3/hour''. |+| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Examples: ''3/minute'', ''3/min'' or ''3/m''. |
| ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' | | ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' |
| ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. | | ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. |
Line 662: Line 662:
-===== Note on connection tracking (NOTRACK) =====+===== Notes on connection tracking ===== 
 + 
 +==== NOTRACK ====
By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating //NOTRACK// firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of //NOTRACK// is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing ''iptables -t raw -vnL'', it will list all rules, check for //NOTRACK// target. By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating //NOTRACK// firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of //NOTRACK// is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing ''iptables -t raw -vnL'', it will list all rules, check for //NOTRACK// target.
Line 670: Line 672:
If connection tracking is required, for example by custom rules in ''/etc/firewall.user'', the ''conntrack'' option must be enabled in the corresponding zone to disable //NOTRACK//. It should appear as ''option 'conntrack' '1' '' in the right zone in ''/etc/config/firewall''. If connection tracking is required, for example by custom rules in ''/etc/firewall.user'', the ''conntrack'' option must be enabled in the corresponding zone to disable //NOTRACK//. It should appear as ''option 'conntrack' '1' '' in the right zone in ''/etc/config/firewall''.
For further information see http://security.maruhn.com/iptables-tutorial/x4772.html . For further information see http://security.maruhn.com/iptables-tutorial/x4772.html .
 +
 +==== nf_conntrack_skip_filter ====
 +
 +Since [[https://dev.openwrt.org/changeset/42048/trunk/package|r42048]], there is a new setting activated by default which causes the packets with the established state, completely bypass iptables filter table. This is to [[https://dev.openwrt.org/ticket/17690#comment:6|help with network performance]] and unless you need all packets to be counted by iptables filter or have some specific rules which would apply to already established connections, you should leave it active.
 +
 +This behavior can be disabled by editing /etc/sysctl.conf :
 +  net.netfilter.nf_conntrack_skip_filter=0
 +and then activating the new setting:
 +  sysctl -p
 +
 +or be temporarily turned off untill the next reboot by issuing :
 +  sysctl -w net.netfilter.nf_conntrack_skip_filter=0
===== How to delete a rule ===== ===== How to delete a rule =====

Back to top

doc/uci/firewall.1408720899.txt.bz2 · Last modified: 2014/08/22 17:21 by zorun