LORIX OS runs iptables as a firewall by default and is configured to protect your gateway against most common attacks.

We use the "deny by default" strategy which means that, by default, all the incoming connections are dropped and we add exceptions only for the connections we are interested in.
Also, for ping and SSH, we limit the maximum connections for a given amount of time, as a brute force attack mitigation.

For the SSH and ping, all incoming connections are counted for a given IP address (even the successful ones).
So if you try to open many SSH connections at the same time, some may be refused.

This is an indirect consequence of the firewall. In that case, you have to wait some time for the quota to be reset.

Default configuration

The firewall configuration is stored at /etc/iptables/. Two sets of rules are provided:

  • Rules for IPv4 filtering
    /etc/iptables/iptables.rules
  • Rules for IPv6 filtering
    /etc/iptables/ip6tables.rules

Rules for IPv4 and IPv6 aim to provide the same functionalities but adapted to each protocol with their specifications in mind.

The following applications are allowed:

ApplicationProtocolPortComment
PingICMPn/aOnly 10 tries per second (and per IP) including successful connections
mDNSUDP5353
Manager GUITCP
TCP
80
443

SSHTCP22Only 4 tries per minute (and per IP) including successful connections

Enable and disable temporarily the firewall

The firewall system is composed by two services:

  • Service for IPv4 filtering
    iptables
  • Service for IPv6 filtering
    ip6tables

Their management is completely independent, they can be started, stopped and their rules can be modified individually.

You can start or stop temporarily the firewall with:

Disable the firewall

sudo rc-service iptables stop
BASH

Disable the firewall

sudo rc-service ip6tables stop
BASH

Disabling the firewall will allow all inbound traffic to reach the running applications. The default rules ensure the gateway operates securely.

Restricted application running by default or added by your integrator/solution provider may give undesired access to your gateway to attackers.

Do this only for testing or if you are in a trusted network.

Enable the firewall

sudo rc-service iptables start
BASH

Enable the firewall

sudo rc-service ip6tables start
BASH

Advanced configuration

You can find more information in the advanced firewall configuration page of the integrator's guide.