DGND3700 V1 Transmission Firmware Foxconn CLI
Jump to navigation
Jump to search
There is a little utility to manipulate (most) of the firewall and NAT called 'cli', it appears to be a CLI wrapper for libnat.so.
See DGND3700_V1_Transmission_Firmware_Special_Interest for more info (I had worked this out first before discovering this CLI, thanks to [this page] , (I had to work the ambit password out before I discovered it was on the link at the top!)
Contents
CLI
/usr/sbin/cli
l:ambit p:ambitdebug
Foxconn$? exit Close telnet connection or logout from console. fw firewall nat Agnat Info
Firewall (fw)
Foxconn$fw ? bs block service definition conn show connections devport list listening port of device dmz DMZ echo echo reponse for requests from wan side enable enable/disable firewall filter filter definition save save settings service service definition spi stateful packet inspection
You can define rules either directly of referencing a 'service'.
Default rules
- Index 1, DROP's incoming ICMP on WAN (ICMP is pre-defined service 0, where the ICMP protocol 0x01 is set)
- Index 2 allows eGRE , (but dir 0x01 at least for other things, seems to make it not do anything?)
- Index 3 ICMP again, (dont understand 'rule type 1' ?)
- Index 4 IPv6 Hop-by-Hop Option? (Whats difference between dir 0x04 and 0x07? , both block with other testing)
Foxconn$fw filter list index 1, rule type 0, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, service index 0, dir 0x04, match: DROP, not match: N/A, enable: Y ---------------------------------------------------------------------- index 2, rule type 0, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, service index 1, dir 0x01, match: ALLOW, not match: N/A, enable: Y ---------------------------------------------------------------------- index 3, rule type 1, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, service index 0, dir 0x04, match: ALLOW, not match: N/A, enable: Y ---------------------------------------------------------------------- index 4, rule type 0, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, protocol 0x00, dir 0x70, match: ALLOW, not match: N/A, enable: Y ---------------------------------------------------------------------- total 4 rule(s)
- What does 'rule type x' and 'dir' (direction) mean??
Pre-defined Services
Some of these are definable from the web GUI, generally the ones with port mappings defined. (I assume 8-0 means same as 0-0 for Index 0)
Foxconn$fw service list [service 0] name: 'ICMP_echo_req', protocol: 0x01, port 8-0 [service 1] name: 'eGRE', protocol: 0x2F, port 0-0 [service 2] name: 'AIM', protocol: 0x06, port 5190-5190 [service 3] name: 'AIM 6.x/SSL', protocol: 0x06, port 443-443 [service 4] name: 'Age-of-Empire', protocol: 0x11, port 47624-47624 [service 5] name: 'FTP', protocol: 0x06, port 20-21 [service 6] name: 'HTTP', protocol: 0x06, port 80-80 [service 7] name: 'ICUII', protocol: 0x06, port 23566-23566 [service 8] name: 'IP_Phone', protocol: 0x06, port 6670-6670 [service 9] name: 'NetMeeting(1720)', protocol: 0x06, port 1720-1720 [service 10] name: 'NetMeeting(1503)', protocol: 0x06, port 1503-1503 [service 11] name: 'News', protocol: 0x06, port 119-119 [service 12] name: 'PPTP', protocol: 0x06, port 1723-1723 [service 13] name: 'QuakeII/III', protocol: 0x06, port 27960-27960 [service 14] name: 'QuakeII/III_zZz', protocol: 0x11, port 27960-27960 [service 15] name: 'Real-Audio', protocol: 0x06, port 6970-7170 [service 16] name: 'Real-Audio_zZz', protocol: 0x11, port 6970-7170 [service 17] name: 'Telnet', protocol: 0x06, port 23-23
Manually adding rules
These options pulled via strings
fw filter [ list | add <0-255> <0-1> <ucast-ip> <ucast-ip> <0-65535> <0-65535> <0-3> <ucast-ip> <ucast-ip> <0-65535> <0-65535> <0-255> <0-1> <0-1> <0-1> <1-65535> | del <1-65535> | mod <1-65535> <0-255> <0-1> <ucast-ip> <ucast-ip> <0-65535> <0-65535> <0-3> <ucast-ip> <ucast-ip> <0-65535> <0-65535> <0-255> <0-1> <0-1> <0-1> | move <1-65535> <int> | sche <1-65535> <0-1> <0-65535> ]
Visual example, step by step - it explains what each bit means in more detail.
- Note you can pick a defined 'service' here as well as just start/end IP/mask and ports.
Foxconn$fw filter add 5?
<0-255> [direction]
Foxconn$fw filter add 5 ?
<0-1> src IP subnet: 0, src IP range: 1
Foxconn$fw filter add 5 0 ?
<ucast-ip> src IP
Foxconn$fw filter add 5 0 0.0.0.0 ?
<ucast-ip> src subnet mask or ending IP of IP range
Foxconn$fw filter add 5 0 0.0.0.0 0.0.0.0 ?
<0-65535> src port start
Foxconn$fw filter add 5 0 0.0.0.0 0.0.0.0 65432 ?
<0-65535> src port end
Foxconn$fw filter add 5 0 0.0.0.0 0.0.0.0 65432 65430 ?
<0-3> destination IP subnet: 0, destination IP range: 1, destination
service: 2
Foxconn$fw filter add 5 0 0.0.0.0 0.0.0.0 65432 65430 2 ?
<ucast-ip> destination IP
Foxconn$fw filter add 5 0 0.0.0.0 0.0.0.0 65432 65430 2 0.0.0.0 0.0.0.0 ?
<0-65535> destination port start or service index
Foxconn$$ filter add 5 0 0.0.0.0 0.0.0.0 65432 65430 2 0.0.0.0 0.0.0.0 64000 ?
<0-65535> destination port end
Foxconn$$r add 5 0 0.0.0.0 0.0.0.0 65432 65430 2 0.0.0.0 0.0.0.0 64000 65401 ?
<0-255> protocol number
Foxconn$$add 5 0 0.0.0.0 0.0.0.0 65432 65430 2 0.0.0.0 0.0.0.0 64000 65404 5 ?
<0-1> inactive match: 0, active match: 1
Foxconn$$d 5 0 0.0.0.0 0.0.0.0 65432 65430 2 0.0.0.0 0.0.0.0 64000 65404 5 1 ?
<0-1> deny: 0, allow: 1
Foxconn$$5 0 0.0.0.0 0.0.0.0 65432 65430 2 0.0.0.0 0.0.0.0 64000 65404 5 1 0 ?
<0-1> disable: 0, enable: 1
Foxconn$$0 0.0.0.0 0.0.0.0 65432 65430 2 0.0.0.0 0.0.0.0 64000 65404 5 1 1 1 ?
<1-65535> insert this rule before index
Foxconn$$0.0.0.0 0.0.0.0 65432 65430 2 0.0.0.0 0.0.0.0 64000 65404 5 1 1 1 55
Foxconn$Connection closed by foreign host.
Examples
(Direction 4 or 7 both seem to block, dont know what difference is)
Block ICMP from specific address (protocol 1), '123' can be anything just to make it last
fw filter add 4 0 92.xxx.xxx.xx 255.255.255.255 0 0 0 0.0.0.0 0.0.0.0 0 0 1 1 0 1 123
Block TCP from specific address (protocol 6)
fw filter add 4 0 92.xxx.xxx.xx 255.255.255.255 0 0 0 0.0.0.0 0.0.0.0 0 0 6 1 0 1 123
Foxconn$fw filter list index 1, rule type 0, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, service index 0, dir 0x04, match: ALLOW, not match: N/A, enable: Y ---------------------------------------------------------------------- index 2, rule type 0, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, service index 1, dir 0x01, match: ALLOW, not match: N/A, enable: Y ---------------------------------------------------------------------- index 3, rule type 1, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, service index 0, dir 0x04, match: ALLOW, not match: N/A, enable: Y ---------------------------------------------------------------------- index 4, rule type 0, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, protocol 0x00, dir 0x70, match: ALLOW, not match: N/A, enable: Y ---------------------------------------------------------------------- index 5, rule type 0, source 92.xxx.xxx.xx/255.255.255.255(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, protocol 0x06, dir 0x07, match: DROP, not match: N/A, enable: Y ---------------------------------------------------------------------- total 5 rule(s)
- Note on the string the protocol is decimal, when you whos the list, its in hex.
NAT
Foxconn$nat ? alg show alg list cc check connection conntab show connection table off nat off on nat on ruleadd add NAT rule ruleclear clear NAT rule ruledelete delete NAT rule by rule ID ruleget Show all NAT rules ruletab show rule table sipalg SIP alg ON/OFF status Show NAT status version Show NAT version
Example
First two were added by uPnP daemon, in this case Skype added them from an Android Nexus 10. The third I added manually with PortMapper 1.9.5.
Foxconn$nat ruleget ID: 41, wan Ip: xx.xx.xxx.xx, wan port: 57089 - 0, lan Ip: 192.168.0.93, lan port: 57089 ID: 42, wan Ip: xx.xx.xxx.xx, wan port: 57089 - 0, lan Ip: 192.168.0.93, lan port: 57089 ID: 43, wan Ip: xx.xx.xxx.xx, wan port: 2345 - 0, lan Ip: 192.168.0.231, lan port: 3456 Foxconn$
Foxconn$nat ruletab Current time: 17966 id wif lif wan_ip lan_ip lan_mask fport1 fport2 s_port time timeout type nat prot once resv confl ForeignIp add_from ------------------------------------------------------------ 10 27 0 xx.xx.xxx.xx 192.168.0.0 255.255.255.0 0 0 0 0 0 0 1 TCP 0 1 0 0.0.0.0 0 ------------------------------------------------------------ 41 27 0 xx.xx.xxx.xx 192.168.0.93 0.0.0.0 57089 0 57089 0 0 0 2 UDP 0 1 0 0.0.0.0 4 ------------------------------------------------------------ 42 27 0 xx.xx.xxx.xx 192.168.0.93 0.0.0.0 57089 0 57089 0 0 0 2 TCP 0 1 0 0.0.0.0 4 ------------------------------------------------------------ 43 27 0 xx.xx.xxx.xx 192.168.0.231 0.0.0.0 2345 0 3456 0 0 0 2 TCP 0 1 0 0.0.0.0 4 ------------------------------------------------------------ Total 4 rules.
The first entry is the interface the DGND3700 is using for NAT (nat 1) for WAN<>LAN traffic
The next three are 'added' port mapping entries for specific clients (nat 2)
Comments
blog comments powered by Disqus
