Firewall rules

Top  Previous  Next

Choosing the incoming and outgoing interfaces

 

In the overview "Firewall rules" you can see the rules which are filtered by the incoming and the outgoing interface. A overview over all active firewall rules can be shown at the specific register card.

In order to create a new filter rule you must select the incoming and the outgoing interface. The rule only filters packets that are incoming at the incoming interface and leave the firewall through the outgoing interface. The way of the packet is called Track in this manual.

 

If you plan to filter a packet from the internal to the external interface, select the internal interface at  the select box incoming (e.g. "int0") and the external interface at the select box outgoing. Then press the button Go! right beside the select box for the outgoing interfaces and the rules of the selected track are shown below.

 

There are some special entries in the select box. Choose "ANY" when you do not want to filter the packets for a specific interface. The filter rules are active for all available interfaces.

"LOCAL" means those packets that originate directly from the firewall or that are sent to the firewall itself. This can be a request to a local proxy or packets for creating VPN tunnels (ipsec, PPTP). You can create a filter for all packets that reach the firewall by passing one special interface by selecting the interface at the incoming select box and by using LOCAL at the outgoing side. If you have already configured some IPsec tunnels the interfaces are also shown in the select boxes (e.g. "ipsec0").

 

TIP: The selection of the incoming interface "ANY" and outgoing interface "ANY" denote FORWARD-filter rules (packets going through the firewall are checked), where incoming and outgoing interface are not relevant. But therewith no INPUT- or OUTPUT-filter rules can be created  (packets determined for the firewall and packets coming from the firewall).

 

Configuration of dynamic packet filter (Stateful Inspection)

 

Dynamic packet filtering allows to filter packets that can be associated to an existing connection (connection tracking). This technique is used to allow reply packets automatically. There is no need to create a separate rule for the replies. E.g. if you want to allow the access to a web server, you need only to add a rule to allow traffic for the destination port 80 from internal to external interface at a firewall that supports stateful inspection. The replies to the http requests are allowed to pass the firewall automatically.

 

Allow established: Allow all packets that are part of a already established connection. This means the replies a http server sends when it gets the requests from a client from the net behind the firewall for example. This setting is valid for all packets in the current track (incoming and outgoing interface).

Allow related: Allow all packets that can be bound to an already established connection. The best example for this setting is the ftp-data port. To allow FTP traffic you only must allow traffic to pass the firewall at port TCP/21. This port is used for ftp session communication. The ftp data is sent to another port (normally port 20). There is no extra rule needed if Allow related is activated.

 

Change the order of the rules

 

The order of the firewall rules is important. They are executed top-down. The current order of the firewall rules can be changed by using the "Move" fields or by using the arrow buttons on the right side of the rule definition.

 

 

firewall_rules

 

Overview over the packet filter rules

 

The filter rules are executed top down until one of the rules matches the fields of the incoming packet. Therefore the order of the rules is very important. After selecting an incoming and an outgoing interface the filter rules for the specified track are shown in the list below. In this list you can change the order of the rules and edit or delete rules.

 

Add rule: Create a new packet filter rule at the end of the currently selected list. The detailed view of the rule is opened. This button is at the top and at the bottom of the element group.
Save: Saves the current settings and the order of the rules. This button must also be pressed when you deleted a rule.

 

The following fields are shown in the overview:

 

Active: Activate or deactivate the filter rule. Deactivated rules are not executed.
Source: Shows the source IP/source net/source FQDN of the rule. If you do not set the source IP (ANY), this filter field is ignored and all source addresses match.
Destination: Shows the destination IP/destination net/destination FQDN of the rule. If you do not set the destination IP (ANY), this filter field is ignored and all destination addresses match.
Service: Shows the service of the rule.
Source port: Source port of the rule. This option is only shown when you selected CUSTOM at the option Service.
Destination port: Destination port of the rule. This option is only shown when you selected CUSTOM at the option Service.
Action: Shows the action that is executed when the packet matches the filter rule. The following options are available: ACCEPT, DROP, LOG, REJECT, and NONE.
ACCEPT: The packet is forwarded.
DROP: The packet is dropped.
LOG: Creates an entry in the syslog. This option does not drop or accept the packet. You also must add another rule after the LOG rule to accept or drop the packet.
REJECT: Stops the packet as the option DROP, but also sends an ICMP message to the sender of the packet ("port-unreachable").
NONE: The packet is ignored by the filter. This option is only needed for monitoring special packets where you do not want to set an action.
If overview shows some other actions like "flood-protect" or something else, the rule is a default rule that cannot be edited or deleted by the user.
Comment info: Shows a tooltip with the comment of the rule. Go to the picture with your mouse pointer and you can read it. You can create your own comments to each rule.
Delete marked entries delete: Delete all rules you have selected in the column below. Do not forget to press the button "Save" afterwards.
Move up up or down down: You can change the order of the rules by pressing these buttons. The order of the rules is very important. Do not forget to press the button "Save" afterwards.
Edit rule edit: Press this button to go to the detailed view of the rule and edit the options.
Insert rule below insert_below: Press this button when you want to add a new rule below the current rule. You are forwarded to the detailed view of a new rule.
Delete rule delete: Press this button to delete the rule.