============================
Private WAN router firewall
============================

Private WAN routers come with a firewall that restricts traffic destined to them
except under certain circumstances described below.

Bonding INPUT traffic
----------------------

1. Accept traffic on the management interface, sourced from the management
   server VPN IP and destined for the node management VPN IP

2. TCP configuration traffic on destination port 8003

  - Accept traffic on the management interface, sourced from the management
    server VPN IP and destined for the node
    management VPN IP (only IPv4)
  - Reject everything else on TCP destination port 8003

3. Private WAN mesh traffic

  - Accept TCP traffic on destination port 8007
  - Accept TCP traffic on mesh veth interface and destination port 1179
  - Accept TCP traffic on agg/pwr GRE interfaces and destination ports 1179 or
    179
  - Accept ESP traffic
  - Accept GRE traffic

Other INPUT traffic
--------------------

#. Accept any packets matching rules defined on the management server
#. Accept all traffic on eth0 that is sourced from 10.207.35.248/29 for local
   troubleshooting access
#. Accept all traffic on eth0 that is sourced from 192.168.1.0/24 for legacy
   local troubleshooting access
#. Accept all ICMP and ICMPv6 traffic
#. Accept all traffic from established/related connections
#. Reject everything else

.. note::

  Nftables is exclusively used on nodes version 6.6 and higher, see `Firewall management <../extending-bonded-internet/firewall-management.html>`__ for more information

.. note::

  More firewall customization options are available and documented here:

  - `Firewall management <../../extending-bonded-internet/firewall-management.html>`__
  - `Example Salt state – custom firewall for space <../../extending-bonded-internet/node-configuration-management-with-saltstack/example-salt-state-custom-firewall-for-space.html#>`__
