LORIX OS runs nftables as a firewall by default and is configured to protect your gateway against most common attacks.

Before LORIX OS 1.8, iptables was used as a firewall.

We use the "deny by default" strategy which means that, by default, all the incoming connections are dropped and we add exceptions only for the connections we are interested in.
Also, for ping and SSH, we limit the maximum connections for a given amount of time, as a brute force attack mitigation.

For the SSH and ping, all incoming connections are counted for a given IP address (even the successful ones).
So if you try to open many SSH connections at the same time, some may be refused.

This is an indirect consequence of the firewall. In that case, you have to wait some time for the quota to be reset.

Default configuration

The firewall configuration is stored at /etc/nftables/nftables.conf.

The following applications are allowed:

ApplicationProtocolPortComment
PingICMPn/aOnly 10 tries per second (and per IP) including successful connections
mDNSUDP5353
Manager GUITCP
TCP		80
443
SSHTCP22Only 4 tries per minute (and per IP) including successful connections

Enable and disable temporarily the firewall

The firewall system is provided by the nftables service. You can start or stop temporarily the firewall with:

Disable the firewall

sudo rc-service nftables stop
BASH

Disabling the firewall will allow all inbound traffic to reach the running applications. The default rules ensure the gateway operates securely.

Restricted application running by default or added by your integrator/solution provider may give undesired access to your gateway to attackers.

Do this only for testing or if you are in a trusted network.

Enable the firewall

sudo rc-service nftables start
BASH

Advanced configuration

You can find more information in the advanced firewall configuration page of the integrator guide.