Configuring firewall rules from the command-line interface

NOTE: This article is intended for experienced users only.

In this instruction, we will review the firewall rules configuration from the command-line interface (CLI) of the router. Theoretical information is covered in details in the article How is the firewall implemented?. For information on how to configure firewall rules from the web interface, refer to the Firewall article.

CLI provides additional options for configuring the Keenetic firewall compared to the web interface. A detailed description of the CLI commands for each Keenetic model can be found in the Command Reference Guide available in the Download Center.

The firewall of the Keenetic device executes the filtering rules written in the Access Control List (ACL) on each interface to which this list is bound. Several lists can be linked to one interface.

The following commands are available for firewall configuration:

access-list {ACL_name} — provides access to rule management in the specified access list. If the list does not exist, it will be created.

no access-list {ACL_name} — removes the specified list, if it exists.

For example, to move to the list MyList1 editing, the following command is used:

(config)> access-list MyList1
(config-acl)>


Once the access list is created, you can start making its rules. For this purpose, deny and permit commands are used, corresponding to the deny and permit filtering rules. The format of these commands is the same and can be found in the Command Reference Guide.

NOTE: Important! Each rule may contain a filter for one of the supported protocols only.

Here are some examples of rules:

a. A command that enables a filter to allow TCP packets from host 192.168.1.33 to be transmitted to any address:

(config-acl)> permit tcp 192.168.1.33/32 0.0.0.0/32


b. A command to prohibit ping from all hosts on subnet 192.168.1.0/24 to any other subnet:

(config-acl)> deny icmp 192.168.1.0/24 0.0.0.0/32


c. A command that enables a filter to block IP packets from 192.168.1.0/24 to any hosts:

(config-acl)> deny ip 192.168.1.0/24 0.0.0.0/32


The command (permit|deny ip) without specifying the protocol type integrates the TCP and UDP protocols into one common configuration (ip).

d. A command to allow connection to the router's web interface (192.168.1.1) via HTTP (tcp port 80) from any host from the Internet:

(config-acl)> permit tcp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 port eq 80


e. To remove a rule from the list, you need to repeat the command that sets it, but with no in front of it.

For example:

(config-acl)> no permit tcp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 port eq 80


The exit command is used to exit the access list editing.

A completed list of rules, using the above commands, in the configuration file of the router will look like this:

access-list MyList1
permit tcp 192.168.1.33/32 0.0.0.0/32
deny icmp 192.168.1.0/24 0.0.0.0/32
deny ip 192.168.1.0/24 0.0.0.0/32


Having prepared the list of access rules, you should bind it to the required interface of the device. For this purpose the command ip access-group {ACL_name} {direction in|out} is used in the settings of each interface.

Remember that for each list the interface also defines the direction of traffic flow to which these rules will be applied. The direction is determined relative to the interface (the incoming direction in — always to the device, and outgoing out — from it). This information is described in detail in the article How is the firewall implemented?.

For example, bind the created rules to the external ISP interface:

(config)> interface ISP
(config-if)> ip access-group MyList1 out
Network::Acl: Output "MyList1" access list added to "ISP".


In the outgoing (out) direction of the ISP interface (this is the direction from the router to the network of this interface) the transmission of any traffic to any addresses will be prohibited.

A list of rules similar to our example can be useful when you need to deny access to the Internet via the external interface to all but one host on your local network. In our example, access and ping are denied to all hosts on 192.168.1.0, except for the host with the IP address 192.168.1.33.

Access level settings (security-level) are applied on the Keenetic interfaces, which determine the logic of network screen operation:

— private (local);
— public (external);
— protected (secure, local).

The scheme of allowed and prohibited data directions in the Keenetic routers can be represented by the following diagram:

Firewall-diagram_en.png

By default, a Keenetic router accepts network connections from private interfaces only. Interfaces of the private type are allowed to establish connections to public interfaces, and to the device itself for management and access to services running on the router. For the guest network interface, access to the router and its services is denied.

Between private interfaces and between a private and protected interface, by default, it is forbidden to establish a connection, but access can be allowed if necessary. This option depends on setting the isolate-private parameter. If you need to allow connections between private interfaces or between a private and protected interface (i.e. not to isolate access), execute the command no isolate-private to do so.

From the public interfaces, it is prohibited to establish connections to any interfaces, including other interfaces of public type, as well as to the device itself.

Interfaces of the protected type are allowed to establish connections only to public interfaces. By default, access to devices of private and other protected interfaces, as well as to the device management is prohibited.

With the command security-level public|private|protected, you can manage access levels on the interfaces of the router.

For example:

(config)> interface Bridge3
(config-if)> security-level protected
Network::Interface::IP: "Bridge3": security level set to "protected".


You can identify the security level of the specified interface by executing the command show interface {interface_name}.

For example:

(config)> show interface ISP

               id: GigabitEthernet1
            index: 1
             type: GigabitEthernet
      description: Broadband connection
   interface-name: ISP
             link: up
        connected: yes
            state: up
              mtu: 1500
         tx-queue: 2000
          address: 193.0.174.199
             mask: 255.255.255.0
           uptime: 12433
           global: yes
        defaultgw: yes
         priority: 700
   security-level: public
              mac: 50:ff:20:2d:ed:ea
        auth-type: none


The security-level line specifies the security level, according to which the predefined firewall policy works.

NOTE: Important! By default, all interfaces newly created via the command line are assigned the public security level.

The list of interface names and their system identifiers can be viewed as follows: type the show interface command and then press the TAB key on your keyboard. You will see the list of all currently available interfaces of the device, including the preset service interfaces.

interface-cli.png

TIP: Note

1. Keenetic router supports IPv6 and IPv4 protocols. Only minimal settings are provided to manage the IPv6 firewall: enable or disable.

You can do this with the ipv6 firewall (enable), and no ipv6 firewall (disable) commands.

By default, the firewall for IPv6 is enabled.

2. In Keenetic routers, there is an access level protected. This level of access is analogous to the private level but without access to the router.

The protected type is set for the Wi-Fi guest network interface when the 'Enable access to home network applications' option is disabled in the web interface on the 'Guest segment' page in the 'Restrictions for devices in the segment' section. By default, access to Keenetic is prohibited from the guest network. If you allow access to settings, this interface will be set to the private level.

restrictions_en.png

3. In case you need to apply a large number of firewall rules, you can configure the rules by editing the startup-config.txt configuration file with any text editor. After saving changes, you need to upload the file back to the device and reboot it. But you should edit the configuration file very carefully because it can lead to an inability to control the device, loss of functionality of individual functions, incorrect display of settings in the web interface.

If your device stopped working correctly after loading the edited configuration file, we advise you to reset the user settings with the Reset button and adjust Keenetic again, or to load a working backup configuration file.

 

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.