Differences

This shows you the differences between two versions of the page.

--- userdoc:tt_firewall_plugins [2014/09/15 09:49]
abelbeck [sip-user-agent]
+++ userdoc:tt_firewall_plugins [2021/06/30 10:19] (current)
abelbeck
@@ Line 1: / Line 1: @@
 ====== Firewall Plugins ======
-AstLinux provides an IPv4 / IPv6 Stateful Filtering Firewall, based on the excellent [[http://rocky.eld.leidenuniv.nl/|Arno's IPTABLES Firewall]] (**AIF**) script, developed by Arno van Amersfoort.
+AstLinux provides an IPv4 / IPv6 Stateful Filtering Firewall, based on the excellent [[https://github.com/arno-iptables-firewall/aif/|Arno's IPTABLES Firewall]] (**AIF**) script, developed by Arno van Amersfoort.
-A feature of **AIF** is firewall plugins that can add specific functionality outside of the core script.  Firewall Plugins can be managed by selecting the Network Tab in the web interface.  {{:userdoc:ipv6-tunnel-network-tab.jpg?nolink|Network Tab}}\\
+A feature of **AIF** is firewall plugins that can add specific functionality outside of the core script.  Firewall Plugins can be managed by selecting the Network Tab in the web interface.
+\\
+{{:userdoc:ipv6-tunnel-network-tab.jpg?nolink|Network Tab}}\\
 {{:userdoc:firewall-plugins-manage.jpg?nolink|Network tab}}\\
@@ Line 38: / Line 40: @@
 ==== dyndns-host-open ====
-This implements support to open ports for DynDNS IPv4 hosts.
+This plugin provides EXT->Local firewall 'host-open' rules using hostnames (via periodic DNS lookups) rather than static IPv4 addresses.
+Should the hostname resolve to multiple IPv4 addresses, a rule for each address will be opened.
-If you allow common services, in particular SIP or SSH, from public dynamic IPv4 addresses, it is highly recommended to enable this plugin and don't allow these services from the public by default.
+If you allow common services, in particular SIP or SSH, only from public dynamic IPv4 addresses, it is highly recommended to enable this plugin and don't allow these services from the public by default.
 (IPv4-only)
+==== dyndns-ipv6-forward ====
+!!Note: this plugin is not available until AstLinux 1.2.10 and later.!!\\
+This plugin provides EXT->LAN firewall 'ipv6-forward' rules using hostnames (via periodic DNS lookups) rather than static IPv6 addresses.
+Should the hostname resolve to multiple IPv6 addresses, a rule for each address will be opened.
+!!Tip ->!! A custom ddclient config may be used to publish local servers with dynamic DNS AAAA records.
+(IPv6-only)
+==== dyndns-ipv6-open ====
+!!Note: this plugin is not available until AstLinux 1.2.10 and later.!!\\
+This plugin provides EXT->Local firewall 'ipv6-open' rules using hostnames (via periodic DNS lookups) rather than static IPv6 addresses.
+Should the hostname resolve to multiple IPv6 addresses, a rule for each address will be opened.
+If you allow common services, in particular SIP or SSH, only from public dynamic IPv6 addresses, it is highly recommended to enable this plugin and don't allow these services from the public by default.
+!!Tip ->!! Similar functionality as the IPv4 dyndns-host-open plugin except using IPv6 with AAAA DNS records.
+(IPv6-only)
@@ Line 82: / Line 107: @@
 (IPv4-only)
+==== net-prefix-translation ====
+!!Note: this plugin is not available until AstLinux 1.3.0 and later.!!\\
+Commonly used with static assigned ULA (Unique Local IPv6 Unicast Addresses)
+(RFC4193) prefixes on local networks and perform a 1:1 mapping to a
+GUA (IPv6 Global Unicast Address) (RFC3587) prefix provided by your ISP.
+Should the GUA prefix change, the local ULA prefix can remain the same.
+(IPv6-only)
 ==== openvpn-server ====
@@ Line 96: / Line 131: @@
 (IPv4-only)
+==== pptp-vpn-passthrough ====
+!!Note: this plugin is not available until AstLinux 1.2.5 and later.!!\\
+This plugin loads the required kernel modules for PPTP VPN Clients to access remote PPTP VPN Server(s) when NAT is enabled.
-==== pptp-vpn ====
+(IPv4-only)
-!!Automatically Enabled!!\\
-This plugin adds all required rules for using a PPTP VPN Server.
-The firewall must be enabled for the PPTP VPN to properly function.
+==== pptp-vpn ====
+!!Note: this plugin has been removed for AstLinux 1.3.8 and later.!!\\
 ==== sip-user-agent ====
@@ Line 107: / Line 144: @@
 This plugin adds SIP User-Agent filtering, no packets are allowed by this plugin, only denied. This plugin monitors inbound (EXT->Local) SIP sessions on specified ports.
-If SIP_USER_AGENT_PASS_TYPES is defined with a list of space separated User-Agent matches, non-matching User-Agent's will be dropped. (Whitelist)
+If SIP_USER_AGENT_PASS_TYPES is defined with a list of space separated User-Agent matches, non-matching User-Agent packets will be dropped. (Whitelist)
-Else if SIP_USER_AGENT_DROP_TYPES is defined with a list of space separated User-Agent matches, matching User-Agent's will be dropped. (Blacklist)
+Otherwise if SIP_USER_AGENT_DROP_TYPES is defined with a list of space separated User-Agent matches, matching User-Agent packets will be dropped. (Blacklist)
-This plugin will have no effect on TLS encrypted SIP sessions, only unencrypted SIP.
+This plugin will have no effect on TLS encrypted SIP sessions, only unencrypted SIP sessions.
 ==== sip-voip ====
 This plugin attempts to track the RTP ports used in a SIP dialog and automatically open the necessary RTP ports when needed.
@@ Line 146: / Line 183: @@
 (IPv4-only)
+==== wireguard-vpn ====
+!!Note: this plugin is not available until AstLinux 1.3.2 and later.!!\\
+!!Automatically Enabled!!\\
+This plugin adds all required rules for using the WireGuard VPN.
+The firewall must be enabled for the WireGuard VPN to properly function.