EdgeRouter - Add access control list (ACL)

Overview


Readers will learn how to create ACL (Access Control List) rules for the firewall to help secure the network. ACL rules help secure the network by limiting or preventing access to users.

Note: The EdgeOS firewall rule terminology includes IN, OUT, and LOCAL.

  • Applying a firewall ruleset to the IN firewall of an interface affect traffic inbound on that interface but only the traffic forwarded through the router.
  • OUT is traffic that has been forwarded through the router and about to leave exit out the interface.
  • LOCAL is traffic destined for the router (for example if you wanted to use the web UI on the router you'd need to allow port 443 on LOCAL.

In terms of using IN or OUT rules, some will say that IN is better because if you're going to drop a packet it's better to do it on input rather than go through the full packet processing path only to drop it before it leaves the router. Also note that creating a firewall ruleset without applying it to an interface/direction doesnothing.

Steps


To create a firewall rule, use the set or edit commands (both methods are described below). In addition, use the comparediscarduptopcopy, and rename commands.

Create a firewall rule using the full syntax:

ubnt@ubnt:~$ configure
[edit]
ubnt@ubnt# set firewall name TEST default-action drop
[edit]
ubnt@ubnt# set firewall name TEST enable-default-log
[edit]
ubnt@ubnt# set firewall name TEST rule 10 description “allow icmp”
[edit]
ubnt@ubnt# set firewall name TEST rule 10 action accept
[edit]
ubnt@ubnt# set firewall name TEST rule 10 protocol icmp
[edit]

 To display uncommitted changes, use the compare command:

ubnt@ubnt# compare
[edit firewall]
+name TEST {
+	default-action drop
+	enable-default-log
+	rule 10 {
+		action accept
+		description “allow icmp”
+		protocol icmp
+	}
+}
[edit]

To undo uncommitted changes, use the discard command:

ubnt@ubnt# discard
Changes have been discarded
[edit]
ubnt@ubnt# compare
No changes between working and active configurations
[edit]

To create the same firewall rule while reducing the amount of repetition in the full syntax, use the edit command:

ubnt@ubnt# edit firewall name TEST
[edit firewall name TEST]
ubnt@ubnt#set default-action drop
[edit firewall name TEST]
ubnt@ubnt# set enable-default-log
[edit firewall name TEST]
ubnt@ubnt#edit rule 10
[edit firewall name TEST rule 10]

 Press the ? or tab key to display options for the specified edit level.

ubnt@ubnt# set
action		disable	ipsec	p2p	source	   time
description	fragment	limit	protocol   state	
destination	icmp	log	recent	tcp	
[edit firewall name TEST rule 10]
ubnt@ubnt# set description “allow icmp”
[edit firewall name TEST rule 10]
ubnt@ubnt# set action accept
[edit firewall name TEST rule 10]
ubnt@ubnt# set protocol icmp
[edit firewall name TEST rule 10]

 To show changes within the edit level, use the compare command:

ubnt@ubnt# compare
[edit firewall name TEST rule 10]
+action accept
+description “allow icmp”
+ protocol icmp
[edit firewall name TEST rule 10]

To move up an edit level, use the up command:

ubnt@ubnt#up
[edit firewall name TEST]
ubnt@ubnt# compare
[edit firewall name TEST]
+default-action drop
+enable-default-log
+rule 10 {
+	action accept
+	description “allow icmp”
+	protocol icmp
+}
[edit firewall name TEST]
ubnt@ubnt# up
[edit firewall]
ubnt@ubnt# compare
[edit firewall]
+name TEST {
+	default-action drop
+	enable-default-log
+	rule 10 {
+		action accept
+		description “allow icmp”
+		protocol icmp
+	}
+}
[edit firewall]

To return to the top edit level, use the top command: 

ubnt@ubnt# top
[edit]
ubnt@ubnt# compare
[edit firewall]
+name TEST{
+	default-action drop
+	enable-default-log
+	rule 10 {
+		action accept
+		description “allow icmp”
+		protocol icmp
+	}
+}
[edit]

To display the existing firewall rule, use the show firewall command: 

ubnt@ubnt# show firewall
 name WAN1_LOCAL {
  	default-action drop
  	rule 10 {
  		action accept
  		state {
  			established enable
  			related enable
  		}
  	}
  	rule 20 {
  		action drop
  		state {
  			invalid enable
  		}
  	}
  	rule 30 {
  		action accept
  		destination {
  			port 22
  		}
  		protocol tcp
  	}
 }
[edit]

To create a new firewall rule from an existing firewall rule, use the copy command.

ubnt@ubnt# edit firewall
[edit firewall]
ubnt@ubnt# copy name WAN1_LOCAL to name WAN2_LOCAL
[edit firewall]
ubnt@ubnt# commit
[edit firewall]
ubnt@ubnt#top
[edit]
ubnt@ubnt#show firewall
 name WAN1_LOCAL {
        default-action drop
        rule 10 {
  		action accept
  		state {
  			established enable
  			related enable
               }
        }
        rule 20 {
  		action drop
  		state {
  			invalid enable
  		}
        }
        rule 30 {
  		action accept
  		destination {
  			port 22
  		}
  		protocol tcp
        }
 }
 name WAN2_LOCAL {
        default-action drop
        rule 10 {
               action accept
               state {
                       established enable
                       related enable
               }
        }
        rule 20 {
  		action drop
  		state {
  			invalid enable
  		}
        }
        rule 30 {
  		action accept
  		destination {
  			port 22
  		}
  		protocol tcp
        }
 }
[edit]

To change the name of the new firewall rule, use the rename command.

ubnt@ubnt# edit firewall
[edit firewall]
ubnt@ubnt# rename name W[TAB]
WAN1_LOCAL	WAN2_LOCAL
[edit firewall]
ubnt@ubnt# rename name WAN2_LOCAL to name WAN2_IN
[edit firewall]
ubnt@ubnt# commit
[edit firewall]
ubnt@ubnt#top
[edit]
ubnt@ubnt# show firewall name
 name WAN1_LOCAL {
        default-action drop
        rule 10 {
  		action accept
  		state {
  			established enable
  			related enable
               }
        }
        rule 20 {
  		action drop
  		state {
                       invalid enable
               }
        }
        rule 30 {
               action accept
  		destination {
  			port 22
  		}
  		protocol tcp
        }
 }
 name WAN2_IN {
        default-action drop
        rule 10 {
  		action accept
  		state {
  			established enable
  			related enable
  		}
  	}
        rule 20 {
               action drop
               state {
                       invalid enable
               }
  	}
        rule 30 {
               action accept
               destination {
                       port 22
               }
               protocol tcp
  	}
 }
[edit]
ubnt@ubnt#

Ubiquiti Employee / Ubiquiti Employee