Endian banner

Common configuration itemsΒΆ

When adding a rule, most of the values to configure in the various modules are of the same type (e.g., the source or destination interfaces), since in the end they are all setup with iptables. Therefore, in order to keep this section short and readable, all the configuration items that are common to all modules of the firewall are grouped here and defined only once. There will be some more explanation only in case of significant differences with the descriptions given here.

  • Source or Incoming IP. Usually in the form of a drop-down menu, this setting is the type of the source or incoming connection that should be matched. Depending on the type chosen, the selection of different connections from the small box underneath the menu will be possible: Zone/VPN/Uplink is either the source zone, VPN client, or uplink to which this rule should be applied, Network/IP/Range the IP address or range or the network addresses, OpenVPN User and L2TP User the OpenVPN or 2TP users, respectively.

  • Destination or Target. Also this setting comes in the form of a drop-down menu and allows the choice among three types of destination that should be matched, which are the same as in the Source drop-down menu: A Zone/VPN/Uplink, Network/IP, OpenVPN User or L2TP user, except for some small change (e.g., for some type of rules, the target can not be an OpenVPN or L2TP user).

  • Service, Port, and Protocol. A service is usually defined as a combination of a port and a protocol. For example, the SSH service runs by default on port 22 and uses the TCP protocol. These three options control the port and protocol to which to apply the rule and consist of two drop-down menus, from which to choose either a pre-defined Service, that will also set the protocol and the port range in the text area, or one Protocol and optionally a port or a port range. Available protocols are: TCP and UDP - the most used, GRE - used by tunnels, ESP - used by IPsec, and ICMP - used by the ping and traceroute commands.

    Note

    There exist dozens predefined services that can be chosen from the drop down menus and should suffice to allow the most common services to access the Internet. An user defined combination of port and protocol should be used only if a service is not running on a standard port (e.g., an SSH server listens to port 2345 or a web server runs on port 7981) or if a service is using a particular port (e.g., a multiplayer game on the Internet).

  • ‘Access from’ sub-rule. Almost every rule can be further detailed by adding several Access from rules to it, for example to limit access to a client depending on the zone from which it connects to the Endian UTM Appliance. Access from rules can be configured when the advanced mode is selected (see below). As a consequence, a rule can appear split on two or more lines, depending on the number of access policies defined. Each access from sub-rule can be deleted individually, without changing the main rule. Each of the sub-rules can even have a different filter policy.

  • Policy, Filter Policy. The action to carry out on the packets that match the current rule. The drop-down menu allows to select among four options: Allow with IPS -let the packet pass but analyse it with the Intrusion Prevention System, Allow - let the packets pass without any check, Drop - discard the packet, and Reject - discard the packet and send an error packet in response.

  • Enabled. Every rule created is by default enabled, but it can be saved and not activated by unticking the checkbox, i.e., it will not be taken into account for packet filtering. Disabling a rule may prove useful for troubleshooting connections’ problems.

  • Log, Log all accepted packets. By default, no log entries is written when traffic is filtered. To enable logging for a rule, tick the box.

    Warning

    If there is a lot of traffic and packets to be analysed, the size of the log files will likely grow rapidly, so in this case remember to check the log directory regularly to avoid running out of space!

  • Remark. A description or a remark about the rule, to remember the purpose of the rule.

  • Position. Recall that the iptables rules are processed in the order they appear on the list and that some is a “terminating” rule, i.e., it may drop or reject a packet and stop the processing of the subsequent rules. This drop-down menu allows to choose in which position this rule should be saved.

  • Actions. On all rules several actions can be carried out:

    • up down - move the rule upwards or downwards in the list.

      Hint

      Remember that the ordering matters! The firewall rules are processed in the order they appear in the page, top to bottom.

    • on off - enable or disable the rule.

    • edit - modify the rule.

    • delete - remove the rule.

Finally, after every change has been saved in the firewall rules, the firewall should be restarted to reload the configuration. A callout with a clickable Apply button will appear to recall this necessity.