Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| en:dpi:dpi_options:opt_firewall:start [2020/02/07 15:28] – edrudichgmailcom | en:dpi:dpi_options:opt_firewall:start [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== 15 Mini Firewall ====== | ||
| - | {{indexmenu_n> | ||
| - | The service is designed to to improve security against unauthorized access in case of subscribers having public ((NAT is a kind of information security measure in case of private IP addresses)) IPv4 and IPv6 addresses. | ||
| - | All incoming requests for ports below the specified threshold are closed to the subscriber’s address (usually the threshold equals to 1024 - i.e. all system ports will be closed), | ||
| - | but some ports could be left opened, for example, to access a home NAS. | ||
| - | In addition, some malicious activity coming from the subscriber can be blocked via mini firewall, for example, if as a result of netflow analysis or receiving abuse it turned out that the subscriber is engaged in spam activity, then outgoing ports associated with the mailing list can be closed by means of mini firewall service. | ||
| - | |||
| - | <note important> | ||
| - | In this case, it is recommended to show the subscriber a notification page using service 6 with a problem description and an antivirus subscription offer, and thereby increase sales of additional services. This process will be further even more automated in the very near future within the QoE Store/ | ||
| - | |||
| - | The service management at the individual subscribers level is carried out using the [[en: | ||
| - | |||
| - | Command format: | ||
| - | < | ||
| - | fdpi_ctrl command --service 13 [options_list] [IP_list or Login] | ||
| - | </ | ||
| - | More details on command syntax and ways to specify IP addresses are described in [[en: | ||
| - | |||
| - | Examples: | ||
| - | |||
| - | to enable mini Firewall for specific subscriber having named (preconfigured) profile | ||
| - | < | ||
| - | fdpi_ctrl load profile --service 13 --profile.name strict_firewall --profile.json ' | ||
| - | fdpi_ctrl load --service 13 --profile.name strict_firewall --login mike.williams | ||
| - | </ | ||
| - | here the json format is used to specify the following profile settings\\ | ||
| - | max_port - the port number, below which access is blocked\\ | ||
| - | port_holes - list of ports that are allowed to access bypassing the max_port limit\\ | ||
| - | out_port - list of ports to which outbound traffic is closed | ||
| - | |||
| - | Enabling mini Firewall service to subscriber having anonymous profile (i.e. profile without name which exists until the corresponding service is enabled) | ||
| - | < | ||
| - | fdpi_ctrl load --service 13 --profile.json ' | ||
| - | </ | ||
| - | |||
| - | Search for subscribers having enabled mini Firewall service with the specified profile name | ||
| - | < | ||
| - | fdpi_ctrl list all --service 13 --profile.name strict_firewall | ||
| - | </ | ||
| - | |||
| - | Delete the named profile (the subscribers using it shouldn' | ||
| - | < | ||
| - | fdpi_ctrl del profile --service 13 --profile.name strict_firewall | ||
| - | </ | ||
| - | |||
| - | To change profile settings (it should be borne in mind that new settings will be applied to all the subscribers with specified service profile) | ||
| - | < | ||
| - | fdpi_ctrl load profile --service 13 --profile.name strict_firewall --profile.json ' | ||
| - | </ | ||
| - | |||
| - | The maximum number of profiles for the mini Firewall is specified by the configuration parameter in / | ||
| - | < | ||
| - | max_profiles_frwl=24 | ||
| - | </ | ||
| - | here the value '' | ||
| - | <note warning> | ||