This feature is available for full configuration
with Standard and Premium accounts only.
The firewall is built on top of iptables. The different rule groups correspond to their respective chains in iptables.
Note: As a best security practice, the device employs minimum firewall rules by default. This means by default the device allows all outbound traffic from it in the Output Filter Rules. (Traffic through the device is handled by the Port/Inbound Forwarding Rules.) But all traffic to the device via WAN interfaces is blocked by default in the Input Filter Rules. Users may create their own specific and targeted input filter rules to allow certain traffic to the device based on their specific needs.
Use this page to view, add, or edit the rules for the device firewall configuration.
To configure the firewall:
On a device's Device Files tab, click Use As a Template for New Config and then click Firewall in the left navigation menu.
To use Prerouting (DNAT) or Post Routing (SNAT) rules, click Advanced in the upper right of the firewall section. See Advanced Firewall Configuration.
Click Add Rule for Port Forwarding, Input Filter Rules, or Output Filter Rules.
Enter settings and click Save As. See Related topics for details on each rule type.
At
the bottom of the Firewall Settings page, there is a check box under Connection Tracker Helper.
This feature is disabled by default due to its inherent security risks.
The Connection Tracker Helper enables
connection tracking for multi-flow protocols that usually separate control
and data traffic into different flows. Protocols supported include
FTP, H323, and SIP. This feature enables and uses
the kernel module, nf_conntrack_helper.
To enable this feature, check Enabled.