Firewall rules examples

To protect your local network from attacks and intruders from the Internet, the Keenetic series routers have a default firewall. In most cases, the default settings are sufficient for security and there is no need to configure the firewall. But if it is necessary for solving certain issues, the Keenetic router provides flexible options for configuring firewall rules.

In this article we will give practical examples of firewall rules usage in the Keenetic.
The theory and detailed description of the firewall in the Keenetic can be found in the article How is the firewall working?.

NOTE: Important! The firewall will not control this existing session when a session is already installed, and then a firewall rule concerning traffic in that session is created. The rule will take effect after the current session is broken — forced or after the session's lifetime has expired.
For the correct operation of the newly created rule (to reset the current/active connections), the corresponding Keenetic interface should be disabled and enabled again.

Let's take a look at the following examples:

1. Allow Internet access for only one computer in the local network and block access for all others.

2. Block Internet access for only one computer in the local network.

3. Block access to a particular website from a local network.

4. Allow a particular LAN computer to access only one specified website.

5. Allow Internet access from the local network only by specified protocols (services).

6. Allow remote control of Keenetic.

7. Block access to Keenetic from the IP addresses of a defined subnet of Internet or an external network.


We will configure the firewall rules via Keenetic web interface. You can do this on the Firewall page.

TIP: Note: To block Internet access, we will define the TCP protocol in the firewall rules, because the Internet is based on the TCP/IP network data transfer protocols.

Example 1. Allow Internet access for only one computer in the local network and block access for all others.

In this example, you need to create two rules for the 'Home segment'.
First, we will create a Permit rule where you define the source IP address (the IP address of the computer to be allowed to access) and the TCP protocol type.

ex-firewall-01_en.png

Then we will create a Deny rule where we define the source IP address as a subnet (192.168.1.0 with a mask of 255.255.255.0) and the TCP protocol type.

ex-firewall-02_en.png

NOTE: Important! This rule should be configured from a computer that can access the Internet. Otherwise, you will lose access to the Keenetic web interface after creating the rules mentioned above. If this happens, manually assign the permitted IP address in the network adapter settings and then connect to the web interface.

Example 2. Block Internet access for only one computer in the local network.

In this example, we need to create one rule for the 'Home segment'. We will create a Deny rule where we set the source IP address (the IP address of the computer which access will be denied) and the TCP protocol type.

ex-firewall-03_en.png

Example 3. Block access to a particular website from a local network.

In this example, we will block all computers in the local network from accessing the Wikipedia website wikipedia.org.

NOTE: Important! Domain names cannot be used in the firewall settings of Keenetic routers, and only IP addresses can be set.

So, before configuring the rules, you need to find out the IP address of the website you want to use. One site may have several different IP addresses (it usually refers to large resources such as amazon.com, google.com, facebook.com, etc.).

The first way to find out the IP address of the website is to use a special command 'nslookup <web site name>'.
For example, in the command line of the operating system we will run the command:

nslookup wikipedia.org


nslookup_en.png

The result of the command above will allow you to see the IP addresses where the website is located (in our example, wikipedia.org uses only one IP address 91.198.174.192).

The second way to find out the IP address of the website is to use one of the special online services (for example, 2ip.io). In a special field you will need to specify the name of the website you are interested in and press the 'Check' button. After that you will see all IP-addresses where the website works.

2ip_en.png

Now that you have the IP address of the website, you can begin creating firewall rules.

NOTE: Important! Websites can run not only on HTTP but also on HTTPS.

Since in this example the website uses a single IP address, let's create two rules for the 'Home segment' to block traffic by protocols: one for HTTP and one for HTTPS. Create a Deny rules where we specify the destination IP address (the IP address of the site to be denied access to) and the protocol type (HTTP and HTTPS).

ex-firewall-04_en.png

ex-firewall-05_en.png

More information can be found in the article How to block access to a specific site.

Example 4. Allow a particular local computer to access only one specified website.

In this example, let's allow a local computer with an IP address of 192.168.0.31 to access only to the Wikipedia.org website.
Access to other Internet sites will be blocked for this computer.

First, let's find the IP address of the website we need. In our example, this is wikipedia.org and its IP address is 91.198.174.192. Detailed information on how to find the IP address of the website can be found in Example 3 of this manual.

In this example, you need to create three rules for the 'Home segment'. First, we will create a Permit rule that defines the source IP address (the IP address of the computer that you want to allow access to), the destination IP address (the IP address of the website that you want to allow access to), and the HTTP and HTTPS protocol types.

ex-firewall-06_en.png

ex-firewall-07_en.png

Then we will create a Deny rule where we specify the source IP address (the IP address of the computer to be denied access to) and the TCP protocol type (to block the Internet access).

ex-firewall-08_en.png

Example 5. Allow Internet access from the local network only by specified protocols (services).

Let's allow local computers to access the Internet only via HTTP, HTTPS, FTP, SMTP, POP3, IMAP, DNS and block all other traffic.

In this example, you need to create rules for the 'Home segment'. First of all, we will create allowing rules where we specify the value 'Any' in the fields 'Source IP' and 'Destination IP', and in the field 'Protocol' we select the necessary type of protocol (service) from the list. Then we create two prohibiting rules, where we set the value 'Any' in the fields 'Source IP' and 'Destination IP', and in the field 'Protocol' the value of TCP and UDP to block Internet access.

NOTE: Important! For the correct Internet functioning it is necessary to have the Domain Name Service (TCP/53, UDP/53), which allows to convert symbolic names of sites/domains into IP addresses (and vice versa).

In our example we have the following set of firewall rules:

ex-firewall-09_en.png

Example 6. Allow remote control of Keenetic.

NOTE: Important! By default, access to the Keenetic administration (its web interface) from an external network (the Internet) is blocked. This is implemented for the purpose of device and local network security.

Access to the device from the Internet is possible if there is a public IP address on the external interface (WAN), through which the router connects to the global network, or a private IP-address using the KeenDNS service.

In this example, we will create a firewall rule to provide remote control of the router from the Internet (in particular to connect to the device's web interface).
In addition, we will allow ICMP ping requests from the Internet (this will allow you to check the availability of the device on the network).

In order to increase security, we will allow remote control and ping from the external network  from a defined public IP address only (in our example from the IP address 93.94.95.96).

NOTE: Important! If you use a public IP address, we do not recommend that you allow access to the Keenetic web interface and allow ping requests for all users from the public (global) network.

In this example, we need to create rules for the 'Provider' external network interface. This means the interface through which you access the Internet (it can be PPPoE, PPTP, USB LTE, Yota, etc.).

We will create a Permit rule where we fill the field 'Source IP' (the public IP-address of the computer to which access from the Internet will be allowed) and in the field 'Protocol' select "TCP/80 (HTTP)".

ex-firewall-10_en.png

Then we will create a similar rule but for the ICMP protocol (for the ping utility).

ex-firewall-11_en.png

Thus, the ping of the Keenetic (via ICMP) and access to its web interface (via HTTP) will be possible from the Internet, only from a certain IP address.

NOTE: Important! In a web browser, you need to use the public WAN IP address of the Keenetic in the global network to access it's web interface (you can see it in the Keenetic's web interface on the 'System dashboard' start page on the 'Internet' information panel by clicking 'More details' in the 'IP address' line). The address in the browser should start with http://, i.e. http://IP address (e.g. http://89.88.87.86).

Example 7. Block access to Keenetic from the IP addresses of a defined Internet subnet or an external network.

Imagine that you have detected frequent attempts to access (attack) the WAN port of the router from unknown IP addresses from the Internet. For example, connection attempts come from different IP addresses, but they all belong to the same 115.230.121.x subnet.

In this case, on the Keenetic external interface 'Provider' (or another one through which the Internet is accessed), it is necessary to block access to the WAN-port for IP-addresses of the subnet 115.230.121.x.

Let's create the deny rules for TCP/UDP/ICMP(ping) traffic, where we should set the 'Subnet' value as 'Source IP' and specify the subnet address and mask. When using a subnet mask with the prefix /24 (255.255.255.0), the IP address of the subnet should end at 0 (in this example it is 115.230.121.0).

ex-firewall-12_en.png

ex-firewall-13_en.png

ex-firewall-14_en.png

TIP: Note

Question: Is it possible to block traffic between only two hosts in a local network using Firewall rules?

Answer: Using Firewall rules, traffic between two hosts on the same LAN cannot be blocked because the hosts are in the same segment and the exchange between them takes place at the second layer of the OSI model. The firewall works at layer 3 of the OSI model.
Traffic can only be blocked between all hosts that are in different network segments, by enabling the isolate-private function (blocks all communication between segments), or by using separate Firewall rules, blocking access only for some hosts.

 

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.