Firewall management

From Ayos HCS Wiki
Revision as of 06:50, 22 May 2021 by Ayos-Wiki (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The Ayos HCS firewall is an advanced packet filter (PF) for filtering TCP/IP traffic and doing Network Address Translation. The firewall is also capable of normalizing and conditioning TCP/IP traffic, as well as providing bandwidth control and packet prioritization.

By default the firewall blocks all incoming traffic into the home unless a device on the local area network (LAN) initiates a connection to the internet, then the matching response to that connection is allowed into the network. By default outgoing connections are allowed from any device, but you can restrict this using the outgoing blocking function of the firewall.

The firewall management allows you to block outgoing traffic IP addresses, network ranges or any (all) IP addresses based on a source device or the whole LAN.

Outgoing block examples

Block a single IP address
Navigate to Firewall and click on Rules. This gives you an overview of the firewall rules currently configured.
In the Block Outgoing card click the New button to create a new outgoing block rule.
Choose the source device of the outgoing connection to block.
Choose a destination IP address to block like 8.8.8.8, to block Google DNS server.
You can now Save this rule or you can specify more connection specific options like Protocol and Port.
In the rules overview you can now see the "hits" on this rule, meaning if any connection attempts are being blocked by the rule.
Rules can be disabled to test or allow certain connections and then easily be enabled again without having to recreate the rules.


Block a network range
Navigate to Firewall and click on Rules. This gives you an overview of the firewall rules currently configured.
In the Block Outgoing card click the New button to create a new outgoing block rule.
Choose the source device of the outgoing connection to block.
Choose a destination network range in the Classless Inter-Domain Routing (CIDR) format. To add a /24 network block you can set the destination as 8.8.8.0/24 to block everything from 8.8.8.0 up to 8.8.8.255.
You can now Save this rule or you can specify more connection specific options like Protocol and Port.
In the rules overview you can now see the "hits" on this rule, meaning if any connection attempts are being blocked by the rule.
Rules can be disabled to test or allow certain connections and then easily be enabled again without having to recreate the rules.


Block all internet access for a device
Navigate to Firewall and click on Rules. This gives you an overview of the firewall rules currently configured.
In the Block Outgoing card click the New button to create a new outgoing block rule.
Choose the source device of the outgoing connection to block.
Choose any to block all outgoing connections from this device.
You can now Save this rule or you can specify more connection specific options like Protocol and Port.
In the rules overview you can now see the "hits" on this rule, meaning if any connection attempts are being blocked by the rule.
Rules can be disabled to test or allow certain connections and then easily be enabled again without having to recreate the rules.



Port forwarding examples

Forward connections from a single IP address
Navigate to Firewall and click on Rules. This gives you an overview of the firewall rules currently configured.
In the Port Forwarding card click the New button to create a new port forwarding rule.
Choose the source (from) internet IP address.
Choose a destination device to forward the traffic to.
Select the Protocol for the port forwarding rule, for example: TCP
Select the Port for the port forwarding rule, for example: 443
You can now Save this rule.
In the rules overview you can now see the "hits" on this rule.
Rules can be disabled to test or allow certain connections and then easily be enabled again without having to recreate the rules.


Forward connections from an internet network range
Navigate to Firewall and click on Rules. This gives you an overview of the firewall rules currently configured.
In the Port Forwarding card click the New button to create a new port forwarding rule.
Choose the source (from) internet network range.
Choose a destination device to forward the traffic to.
Select the Protocol for the port forwarding rule, for example: TCP
Select the Port for the port forwarding rule, for example: 443
You can now Save this rule.
In the rules overview you can now see the "hits" on this rule.
Rules can be disabled to test or allow certain connections and then easily be enabled again without having to recreate the rules.


Forward connections from all internet IP addresses
Navigate to Firewall and click on Rules. This gives you an overview of the firewall rules currently configured.
In the Port Forwarding card click the New button to create a new port forwarding rule.
Choose any in the source (from) address.
Choose a destination device to forward the traffic to.
Select the Protocol for the port forwarding rule, for example: TCP
Select the Port for the port forwarding rule, for example: 443
You can now Save this rule.
In the rules overview you can now see the "hits" on this rule.
Rules can be disabled to test or allow certain connections and then easily be enabled again without having to recreate the rules.

DMZ example

The Demilitarized Zone (DMZ) allows for all incoming internet connections to be forwarded to the DMZ host. Be careful with allowing internet connections to be forwarded to your DMZ host, if the DMZ host device is compromised attackers could further attack devices in your local network.

Navigate to Firewall and click on Rules. This gives you an overview of the firewall rules currently configured.
In the DMZ card click the New button to create a new port forwarding rule.
Choose the source device IP address.
You can now Save this rule.
In the rules overview you can now see the "hits" on this rule.
Rules can be disabled to test or allow certain connections and then easily be enabled again without having to recreate the rules.



Back to How To list