Firewall
LORIX OS runs iptables as a firewall by default and is configured to protect your gateway against most common attacks.
We use the "deny by default" strategy which means that, by default, all the incoming connections are dropped and we add exceptions only for the connections we are interested in.
Also, for ping and SSH, we limit the maximum connections for a given amount of time, as a brute force attack mitigation.
For the SSH and ping, all incoming connections are counted for a given IP address (even the successful ones).
So if you try to open many SSH connections at the same time, some may be refused.
This is an indirect consequence of the firewall. In that case, you have to wait some time for the quota to be reset.
Default configuration
The firewall configuration is stored at /etc/iptables/. Two sets of rules are provided:
- Rules for IPv4 filtering
/etc/iptables/iptables.rules - Rules for IPv6 filtering
/etc/iptables/ip6tables.rules
Rules for IPv4 and IPv6 aim to provide the same functionalities but adapted to each protocol with their specifications in mind.
The following applications are allowed:
| Application | Protocol | Port | Comment |
|---|---|---|---|
| Ping | ICMP | n/a | Only 10 tries per second (and per IP) including successful connections |
| mDNS | UDP | 5353 | |
| Manager GUI | TCP TCP | 80 443 | |
| SSH | TCP | 22 | Only 4 tries per minute (and per IP) including successful connections |
Enable and disable temporarily the firewall
The firewall system is composed by two services:
- Service for IPv4 filtering
iptables - Service for IPv6 filtering
ip6tables
Their management is completely independent, they can be started, stopped and their rules can be modified individually.
You can start or stop temporarily the firewall with:
Disable the firewall
sudo rc-service iptables stopDisable the firewall
sudo rc-service ip6tables stop
Disabling the firewall will allow all inbound traffic to reach the running applications. The default rules ensure the gateway operates securely.
Restricted application running by default or added by your integrator/solution provider may give undesired access to your gateway to attackers.
Do this only for testing or if you are in a trusted network.
Enable the firewall
sudo rc-service iptables startEnable the firewall
sudo rc-service ip6tables startAdvanced configuration
You can find more information in the advanced firewall configuration page of the integrator's guide.