DGND3700 V1 Transmission Firmware Foxconn CLI

There is a little utility to manipulate (most) of the firewall and NAT called 'cli', it appears to be a CLI wrapper for libnat.so.

See DGND3700_V1_Transmission_Firmware_Special_Interest for more info (I had worked this out first before discovering this CLI, thanks to [this page], (I had to work the ambit password out before I discovered it was on the link at the top!)

=CLI=

/usr/sbin/cli

l:ambit p:ambitdebug

Foxconn$? exit  Close telnet connection or logout from console. fw    firewall nat   Agnat Info

=Firewall (fw)=

Foxconn$fw ? bs      block service definition conn    show connections devport list listening port of device dmz     DMZ echo    echo reponse for requests from wan side enable  enable/disable firewall filter  filter definition save    save settings service service definition spi     stateful packet inspection

You can define rules either directly of referencing a 'service'.

Default rules


 * Index 1, DROP's incoming ICMP on WAN (ICMP is pre-defined service 0, where the ICMP protocol 0x01 is set)
 * Index 2 allows eGRE, (but dir 0x01 at least for other things, seems to make it not do anything?)
 * Index 3 ICMP again, (dont understand 'rule type 1' ?)
 * Index 4 IPv6 Hop-by-Hop Option? (Whats difference between dir 0x04 and 0x07?, both block with other testing)

Foxconn$fw filter list index 1, rule type 0, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, service index 0, dir 0x04, match: DROP, not match: N/A, enable: Y -- index 2, rule type 0, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, service index 1, dir 0x01, match: ALLOW, not match: N/A, enable: Y -- index 3, rule type 1, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, service index 0, dir 0x04, match: ALLOW, not match: N/A, enable: Y -- index 4, rule type 0, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, protocol 0x00, dir 0x70, match: ALLOW, not match: N/A, enable: Y -- total 4 rule(s)


 * What does 'rule type x' and 'dir' (direction) mean??

Pre-defined Services
Some of these are definable from the web GUI, generally the ones with port mappings defined. (I assume 8-0 means same as 0-0 for Index 0)

Foxconn$fw service list

[service 0] name: 'ICMP_echo_req', protocol: 0x01, port 8-0 [service 1] name: 'eGRE', protocol: 0x2F, port 0-0 [service 2] name: 'AIM', protocol: 0x06, port 5190-5190 [service 3] name: 'AIM 6.x/SSL', protocol: 0x06, port 443-443 [service 4] name: 'Age-of-Empire', protocol: 0x11, port 47624-47624 [service 5] name: 'FTP', protocol: 0x06, port 20-21 [service 6] name: 'HTTP', protocol: 0x06, port 80-80 [service 7] name: 'ICUII', protocol: 0x06, port 23566-23566 [service 8] name: 'IP_Phone', protocol: 0x06, port 6670-6670 [service 9] name: 'NetMeeting(1720)', protocol: 0x06, port 1720-1720 [service 10] name: 'NetMeeting(1503)', protocol: 0x06, port 1503-1503 [service 11] name: 'News', protocol: 0x06, port 119-119 [service 12] name: 'PPTP', protocol: 0x06, port 1723-1723 [service 13] name: 'QuakeII/III', protocol: 0x06, port 27960-27960 [service 14] name: 'QuakeII/III_zZz', protocol: 0x11, port 27960-27960 [service 15] name: 'Real-Audio', protocol: 0x06, port 6970-7170 [service 16] name: 'Real-Audio_zZz', protocol: 0x11, port 6970-7170 [service 17] name: 'Telnet', protocol: 0x06, port 23-23

Manually adding rules
These options pulled via strings

fw filter [ list ]
 * add <0-255> <0-1>   <0-65535> <0-65535> <0-3>   <0-65535> <0-65535> <0-255> <0-1> <0-1> <0-1> <1-65535>
 * del <1-65535>
 * mod <1-65535> <0-255> <0-1>   <0-65535> <0-65535> <0-3>   <0-65535> <0-65535> <0-255> <0-1> <0-1> <0-1>
 * move <1-65535>
 * sche <1-65535> <0-1> <0-65535>

Visual example, step by step - it explains what each bit means in more detail.


 * Note you can pick a defined 'service' here as well as just start/end IP/mask and ports.

Foxconn$fw filter add 5? <0-255> [direction] Foxconn$fw filter add 5 ? <0-1> src IP subnet: 0, src IP range: 1 Foxconn$fw filter add 5 0 ?  src IP Foxconn$fw filter add 5 0 0.0.0.0 ?  src subnet mask or ending IP of IP range Foxconn$fw filter add 5 0 0.0.0.0 0.0.0.0 ? <0-65535> src port start Foxconn$fw filter add 5 0 0.0.0.0 0.0.0.0 65432 ? <0-65535> src port end Foxconn$fw filter add 5 0 0.0.0.0 0.0.0.0 65432 65430 ? <0-3> destination IP subnet: 0, destination IP range: 1, destination service: 2 Foxconn$fw filter add 5 0 0.0.0.0 0.0.0.0 65432 65430 2 ?  destination IP Foxconn$fw filter add 5 0 0.0.0.0 0.0.0.0 65432 65430 2 0.0.0.0 0.0.0.0 ? <0-65535> destination port start or service index Foxconn$$ filter add 5 0 0.0.0.0 0.0.0.0 65432 65430 2 0.0.0.0 0.0.0.0 64000 ? <0-65535> destination port end Foxconn$$r add 5 0 0.0.0.0 0.0.0.0 65432 65430 2 0.0.0.0 0.0.0.0 64000 65401 ? <0-255> protocol number Foxconn$$add 5 0 0.0.0.0 0.0.0.0 65432 65430 2 0.0.0.0 0.0.0.0 64000 65404 5 ? <0-1> inactive match: 0, active match: 1 Foxconn$$d 5 0 0.0.0.0 0.0.0.0 65432 65430 2 0.0.0.0 0.0.0.0 64000 65404 5 1 ? <0-1> deny: 0, allow: 1 Foxconn$$5 0 0.0.0.0 0.0.0.0 65432 65430 2 0.0.0.0 0.0.0.0 64000 65404 5 1 0 ? <0-1> disable: 0, enable: 1 Foxconn$$0 0.0.0.0 0.0.0.0 65432 65430 2 0.0.0.0 0.0.0.0 64000 65404 5 1 1 1 ? <1-65535> insert this rule before index Foxconn$$0.0.0.0 0.0.0.0 65432 65430 2 0.0.0.0 0.0.0.0 64000 65404 5 1 1 1 55 Foxconn$Connection closed by foreign host.

Examples
(Direction 4 or 7 both seem to block, dont know what difference is)

Block ICMP from specific address (protocol 1), '123' can be anything just to make it last

fw filter add 4 0 92.xxx.xxx.xx 255.255.255.255 0 0 0 0.0.0.0 0.0.0.0 0 0 1 1 0 1 123

Block TCP from specific address (protocol 6) fw filter add 4 0 92.xxx.xxx.xx 255.255.255.255 0 0 0 0.0.0.0 0.0.0.0 0 0 6 1 0 1 123

Foxconn$fw filter list index 1, rule type 0, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, service index 0, dir 0x04, match: ALLOW, not match: N/A, enable: Y -- index 2, rule type 0, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, service index 1, dir 0x01, match: ALLOW, not match: N/A, enable: Y -- index 3, rule type 1, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, service index 0, dir 0x04, match: ALLOW, not match: N/A, enable: Y -- index 4, rule type 0, source 0.0.0.0/0.0.0.0(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, protocol 0x00, dir 0x70, match: ALLOW, not match: N/A, enable: Y -- index 5, rule type 0, source 92.xxx.xxx.xx/255.255.255.255(MASK):0-0, dest 0.0.0.0/0.0.0.0(MASK):0-0, protocol 0x06, dir 0x07, match: DROP, not match: N/A, enable: Y -- total 5 rule(s)


 * Note on the string the protocol is decimal, when you whos the list, its in hex.

=NAT= Foxconn$nat ? alg        show alg list cc         check connection conntab    show connection table off        nat off on         nat on  ruleadd     add NAT rule ruleclear  clear NAT rule ruledelete delete NAT rule by rule ID  ruleget     Show all NAT rules ruletab    show rule table sipalg     SIP alg ON/OFF status     Show NAT status version    Show NAT version

Example
First two were added by uPnP daemon, in this case Skype added them from an Android Nexus 10. The third I added manually with PortMapper 1.9.5. Foxconn$nat ruleget

ID: 41, wan Ip: xx.xx.xxx.xx, wan port: 57089 - 0, lan Ip: 192.168.0.93, lan port: 57089 ID: 42, wan Ip: xx.xx.xxx.xx, wan port: 57089 - 0, lan Ip: 192.168.0.93, lan port: 57089 ID: 43, wan Ip: xx.xx.xxx.xx, wan port: 2345 - 0, lan Ip: 192.168.0.231, lan port: 3456 Foxconn$

Foxconn$nat ruletab

Current time: 17966 id wif lif         wan_ip          lan_ip        lan_mask fport1 fport2 s_port    time  timeout  type nat prot once resv confl       ForeignIp add_from

10 27   0    xx.xx.xxx.xx     192.168.0.0   255.255.255.0      0      0      0       0        0     0   1  TCP    0    1     0         0.0.0.0        0

41 27   0    xx.xx.xxx.xx    192.168.0.93         0.0.0.0  57089      0  57089       0        0     0   2  UDP    0    1     0         0.0.0.0        4

42 27   0    xx.xx.xxx.xx    192.168.0.93         0.0.0.0  57089      0  57089       0        0     0   2  TCP    0    1     0         0.0.0.0        4

43 27   0    xx.xx.xxx.xx   192.168.0.231         0.0.0.0   2345      0   3456       0        0     0   2  TCP    0    1     0         0.0.0.0        4

Total 4 rules.

The first entry is the interface the DGND3700 is using for NAT (nat 1) for WAN<>LAN traffic

The next three are 'added' port mapping entries for specific clients (nat 2)

=Comments=