userdoc:tt_firewall_plugins

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
userdoc:tt_firewall_plugins [2014/09/15 09:48]
abelbeck [sip-user-agent] 		userdoc:tt_firewall_plugins [2020/05/13 15:03]
abelbeck [Firewall Plugins]
Line 1: Line 1:
 ====== Firewall Plugins ====== ====== Firewall Plugins ======
  
-AstLinux provides an IPv4 / IPv6 Stateful Filtering Firewall, based on the excellent [[http://rocky.eld.leidenuniv.nl/|Arno's IPTABLES Firewall]] (**AIF**) script, developed by Arno van Amersfoort.+AstLinux provides an IPv4 / IPv6 Stateful Filtering Firewall, based on the excellent [[https://github.com/arno-iptables-firewall/aif/|Arno's IPTABLES Firewall]] (**AIF**) script, developed by Arno van Amersfoort.
  
-A feature of **AIF** is firewall plugins that can add specific functionality outside of the core script.  Firewall Plugins can be managed by selecting the Network Tab in the web interface.  {{:userdoc:ipv6-tunnel-network-tab.jpg?nolink|Network Tab}}\\+A feature of **AIF** is firewall plugins that can add specific functionality outside of the core script.  Firewall Plugins can be managed by selecting the Network Tab in the web interface. 
 +\\ 
 +{{:userdoc:ipv6-tunnel-network-tab.jpg?nolink|Network Tab}}\\
  
 {{:userdoc:firewall-plugins-manage.jpg?nolink|Network tab}}\\ {{:userdoc:firewall-plugins-manage.jpg?nolink|Network tab}}\\
Line 38: Line 40:
  
 ==== dyndns-host-open ==== ==== dyndns-host-open ====
-This implements support to open ports for DynDNS IPv4 hosts.+This plugin provides EXT->Local firewall 'host-open' rules using hostnames (via periodic DNS lookups) rather than static IPv4 addresses. 
 +Should the hostname resolve to multiple IPv4 addresses, a rule for each address will be opened.
  
-If you allow common services, in particular SIP or SSH, from public dynamic IPv4 addresses, it is highly recommended to enable this plugin and don't allow these services from the public by default.+If you allow common services, in particular SIP or SSH, only from public dynamic IPv4 addresses, it is highly recommended to enable this plugin and don't allow these services from the public by default.
  
 (IPv4-only) (IPv4-only)
 +
 +
 +==== dyndns-ipv6-forward ====
 +!!Note: this plugin is not available until AstLinux 1.2.10 and later.!!\\
 +This plugin provides EXT->LAN firewall 'ipv6-forward' rules using hostnames (via periodic DNS lookups) rather than static IPv6 addresses.
 +Should the hostname resolve to multiple IPv6 addresses, a rule for each address will be opened.
 +
 +!!Tip ->!! A custom ddclient config may be used to publish local servers with dynamic DNS AAAA records.
 +
 +(IPv6-only)
 +
 +
 +==== dyndns-ipv6-open ====
 +!!Note: this plugin is not available until AstLinux 1.2.10 and later.!!\\
 +This plugin provides EXT->Local firewall 'ipv6-open' rules using hostnames (via periodic DNS lookups) rather than static IPv6 addresses.
 +Should the hostname resolve to multiple IPv6 addresses, a rule for each address will be opened.
 +
 +If you allow common services, in particular SIP or SSH, only from public dynamic IPv6 addresses, it is highly recommended to enable this plugin and don't allow these services from the public by default.
 +
 +!!Tip ->!! Similar functionality as the IPv4 dyndns-host-open plugin except using IPv6 with AAAA DNS records.
 +
 +(IPv6-only)
  
  
Line 82: Line 107:
 (IPv4-only) (IPv4-only)
  
 +
 +==== net-prefix-translation ====
 +!!Note: this plugin is not available until AstLinux 1.3.0 and later.!!\\
 +Commonly used with static assigned ULA (Unique Local IPv6 Unicast Addresses)
 +(RFC4193) prefixes on local networks and perform a 1:1 mapping to a
 +GUA (IPv6 Global Unicast Address) (RFC3587) prefix provided by your ISP.
 +Should the GUA prefix change, the local ULA prefix can remain the same.
 +
 +
 +(IPv6-only)
  
 ==== openvpn-server ==== ==== openvpn-server ====
Line 97: Line 132:
  
  
-==== pptp-vpn ==== +==== parasitic-net ==== 
-!!Automatically Enabled!!\\ +!!Note: this plugin is not available until AstLinux 1.3.0 and later.!!\\ 
-This plugin adds all required rules for using PPTP VPN Server.+This Parasitic Network plugin allows "clients" on the same subnet to use this device as gateway upstream. 
 +This network of "clients" is the Parasitic Network, SNAT'ed to this device's external interface(s).
  
-The firewall must be enabled for the PPTP VPN to properly function.+This Parasitic Network is useful for situations when the upstream firewall 
 +is not under your control and you desire added security for specific devices 
 +in your subnet.  Set the gateway address of Parasitic Network clients to an 
 +external IPv4 address of this device. 
 + 
 +To be effective, be certain the Parasitic Network clients are IPv4-only. 
 + 
 +(IPv4-only) 
 +==== pptp-vpn-passthrough ==== 
 +!!Note: this plugin is not available until AstLinux 1.2.5 and later.!!\\ 
 +This plugin loads the required kernel modules for PPTP VPN Clients to access remote PPTP VPN Server(s) when NAT is enabled. 
 + 
 +(IPv4-only) 
 + 
 +==== pptp-vpn ==== 
 +!!Note: this plugin has been removed for AstLinux 1.3.8 and later.!!\\
  
 ==== sip-user-agent ==== ==== sip-user-agent ====
Line 107: Line 158:
 This plugin adds SIP User-Agent filtering, no packets are allowed by this plugin, only denied. This plugin monitors inbound (EXT->Local) SIP sessions on specified ports. This plugin adds SIP User-Agent filtering, no packets are allowed by this plugin, only denied. This plugin monitors inbound (EXT->Local) SIP sessions on specified ports.
  
-If SIP_USER_AGENT_PASS_TYPES is defined with a list of space separated User-Agent matches, non-matching User-Agent'will be dropped. (Whitelist)+If SIP_USER_AGENT_PASS_TYPES is defined with a list of space separated User-Agent matches, non-matching User-Agent packets will be dropped. (Whitelist)
  
-Else if SIP_USER_AGENT_DROP_TYPES is defined with a list of space separated User-Agent matches, matching User-Agent'will be dropped. (Blacklist)+Otherwise if SIP_USER_AGENT_DROP_TYPES is defined with a list of space separated User-Agent matches, matching User-Agent packets will be dropped. (Blacklist)
  
-Of course this will have no effect on TLS encrypted SIP sessions, only unencrypted SIP.+This plugin will have no effect on TLS encrypted SIP sessions, only unencrypted SIP sessions.
 ==== sip-voip ==== ==== sip-voip ====
 This plugin attempts to track the RTP ports used in a SIP dialog and automatically open the necessary RTP ports when needed. This plugin attempts to track the RTP ports used in a SIP dialog and automatically open the necessary RTP ports when needed.
Line 146: Line 197:
  
 (IPv4-only) (IPv4-only)
 +
 +==== wireguard-vpn ====
 +!!Note: this plugin is not available until AstLinux 1.3.2 and later.!!\\
 +!!Automatically Enabled!!\\
 +This plugin adds all required rules for using the WireGuard VPN.
 +
 +The firewall must be enabled for the WireGuard VPN to properly function.
 +
  • userdoc/tt_firewall_plugins.txt
  • Last modified: 2021/06/30 10:19
  • by abelbeck