Firewall rules |
Top Previous Next |
Choosing the incoming and outgoing interfaces
In the overview "Firewall rules" you can see the rules which are filtered by the incoming and the outgoing interface. A overview over all active firewall rules can be shown at the specific register card. In order to create a new filter rule you must select the incoming and the outgoing interface. The rule only filters packets that are incoming at the incoming interface and leave the firewall through the outgoing interface. The way of the packet is called Track in this manual.
If you plan to filter a packet from the internal to the external interface, select the internal interface at the select box incoming (e.g. "int0") and the external interface at the select box outgoing. Then press the button Go! right beside the select box for the outgoing interfaces and the rules of the selected track are shown below.
There are some special entries in the select box. Choose "ANY" when you do not want to filter the packets for a specific interface. The filter rules are active for all available interfaces. "LOCAL" means those packets that originate directly from the firewall or that are sent to the firewall itself. This can be a request to a local proxy or packets for creating VPN tunnels (ipsec, PPTP). You can create a filter for all packets that reach the firewall by passing one special interface by selecting the interface at the incoming select box and by using LOCAL at the outgoing side. If you have already configured some IPsec tunnels the interfaces are also shown in the select boxes (e.g. "ipsec0").
TIP: The selection of the incoming interface "ANY" and outgoing interface "ANY" denote FORWARD-filter rules (packets going through the firewall are checked), where incoming and outgoing interface are not relevant. But therewith no INPUT- or OUTPUT-filter rules can be created (packets determined for the firewall and packets coming from the firewall).
Configuration of dynamic packet filter (Stateful Inspection)
Dynamic packet filtering allows to filter packets that can be associated to an existing connection (connection tracking). This technique is used to allow reply packets automatically. There is no need to create a separate rule for the replies. E.g. if you want to allow the access to a web server, you need only to add a rule to allow traffic for the destination port 80 from internal to external interface at a firewall that supports stateful inspection. The replies to the http requests are allowed to pass the firewall automatically.
Allow established: Allow all packets that are part of a already established connection. This means the replies a http server sends when it gets the requests from a client from the net behind the firewall for example. This setting is valid for all packets in the current track (incoming and outgoing interface). Allow related: Allow all packets that can be bound to an already established connection. The best example for this setting is the ftp-data port. To allow FTP traffic you only must allow traffic to pass the firewall at port TCP/21. This port is used for ftp session communication. The ftp data is sent to another port (normally port 20). There is no extra rule needed if Allow related is activated.
Change the order of the rules
The order of the firewall rules is important. They are executed top-down. The current order of the firewall rules can be changed by using the "Move" fields or by using the arrow buttons on the right side of the rule definition.
Overview over the packet filter rules
The filter rules are executed top down until one of the rules matches the fields of the incoming packet. Therefore the order of the rules is very important. After selecting an incoming and an outgoing interface the filter rules for the specified track are shown in the list below. In this list you can change the order of the rules and edit or delete rules.
The following fields are shown in the overview:
|