![]() Specifies the address family ( ipv4, ipv6 or any) for which the rules are generated. The DROP rules are supposed to prevent NAT leakage (see commit in firewall3).Įnable MSS clamping for outgoing zone traffic.ĭefault policy ( ACCEPT, REJECT, DROP) for incoming zone traffic.ĭefault policy ( ACCEPT, REJECT, DROP) for forwarded zone traffic.ĭefault policy ( ACCEPT, REJECT, DROP) for outgoing zone traffic. Negation is possible by prefixing the subnet with ! multiple subnets are allowed.ĭo not add DROP INVALID rules, if masquerading is used. Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with ! multiple subnets are allowed. Limit masquerading to the given source subnets. Requires sourcefilter=0 for DHCPv6 interfaces with missing GUA prefix. This is typically enabled on the wan zone. Specifies whether outgoing zone IPv6 traffic should be masqueraded. Specifies whether outgoing zone IPv4 traffic should be masqueraded. Alias interfaces defined in the network config cannot be used as valid 'standalone' networks. If omitted and neither extra* options, subnets nor devices are given, the value of name is used by default. List of interfaces attached to this zone. 11 characters is the maximum working firewall zone name length. (fw4 only, 22.03 and later) Enable automatic nftables includes under /usr/share/nftables.d/ Seems to determine method of packet rejection ( tcp reset, or drop, vs ICMP Destination Unreachable, or closed) (depends on flow_offloading and hw capability)ĭefined in firewall3/options.h. (decrease cpu load / increase routing throughput)Įnable hardware flow offloading for connections. (not supported by fw4)Įnable software flow offloading for connections. BCP38 also make use of these hooks.ĭisable IPv6 firewall rules. User rules would be typically stored in er but some packages e.g. See kernel docs.Įnable generation of custom rule chain hooks for user generated rules. Affects only traffic originating from the router itself. Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate.Ġ Disable, 1 Enable, 2 Enable when requested for ingress (but disable for egress) Explicit Congestion Notification. Set rate limit (packets/second) for SYN packets above which the traffic is considered a flood. not matching any active connection).Įnable SYN flood protection (obsoleted by synflood_protect setting). Set policy for the OUTPUT chain of the filter table.ĭrop invalid packets (e.g. Set policy for the FORWARD chain of the filter table. Set policy for the INPUT chain of the filter table.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |