Copyright (c) 2008 Endian srl, Italy.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU
Free Documentation License".
Select Firewall from the menu bar at the top of the screen.
This section allows setting up the rules that specify if and how IP traffic flows through your
Endian Firewall.
Following is a list of links that appear in the submenu on the left side
of the screen:
Each of these subsections will be explained individually in the following chapters.
Select Firewall from the menu bar at the top of the screen, then select Port forwarding / NAT from the submenu on the left side of the screen.
Port forwarding grants limited network access from the external RED zone (typically the internet) to hosts on an internal zone, such as the DMZ (ORANGE) or even the trusted LAN (GREEN). However, forwarding to the GREEN zone is not recommended from a security point of view.
You can define which port on which external interface (incoming port) will be forwarded to a given host/port on the inside (destination). Typical use cases might be to forward port 80 on an external interface to a webserver in the DMZ or to forward port 1022 on an external interface to a SSH server on port 22 of a host in the DMZ. You need to supply the following parameters:
Protocol | - | protocol: TCP, UDP, GRE (generic routing encapsulation - used by tunnels) or all |
Incoming IP | - | the (external) interface |
Port on incoming | - | which port (1 - 65535) to listen to on the external interface |
Destination IP | - | the IP of the destination host to which incoming traffic is forwarded to |
Destination Port | - | the port (1-65535) on the destination host to which incoming traffic is forwarded to |
Remark | - | a remark for you to remember the purpose of the forward rule later |
Enabled | - | check to enable rule (default) |
SNAT incoming connections | - | specify whether incoming traffic should appear to be originating from the firewall IP instead of the actual IP |
Enable log | - | log all packets that match this rule |
Click the Add button to confirm your rule. You can then disable/enable, edit or delete each rule from the list by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom).
After making changes or additions to your rule set, do not forget to click the Apply button on the top of the screen!
Once a rule is defined, you can limit access to the forwarding destination from the external RED zone. To do so, you need to click on the plus-icon ("Add external access") next to the rule: this allows limiting access to a given source (host or network address). You can do this repeatedly to add more sources. A use case for this would be to grant SSH access to the external port 1022 only to one trusted external IP from the internet.
In this section you can define to which outgoing connections source network address translation (Source NAT) should be applied. Source NAT
can be useful if a server behind your Endian Firewall has its own external IP and outgoing packets should therefore
not use the RED IP address of the firewall.
Adding Source NAT rules is similar to adding port forwarding rules. The following options are available:
Source | - | In this field you can specify whether outgoing connections that are initiated from a network or IP address, or connections initiated by a VPN user should be Source NATed. If you choose the first Type you must then enter IP or network addresses into the textarea below (one address per line). If you choose the second Type you can select the users you want from the multiselection field below. |
Destination | - | In this field you can specify whether connections to a Zone/VPN/Uplink, to a Network/IP or to a User should be NATed. If you choose the first Type you must then select a zone, a VPN or an uplink from the multiselection field below. If you choose the second Type you must enter IP or network addresses into the textarea below (one address per line). If you choose the third Type you can select the users you want from the multiselection field below. |
Service/Port | - | Here you can specify the service that should be NATed. In the Service selectbox you can select pre-defined values for different protocols. If you want to specifiy a service yourself you must select the protocol in the Protocol selectbox and, should you want to add a port as well, enter the destination ports into the Destination port textarea (one port per line). |
NAT | - | Here you can choose whether you want to apply Source NAT or not. If you choose to use source network address translation you can select
the IP address that should be used. The Auto entries will automatically choose the IP address depending on the outgoing interface. In certain cases you may want to explicitly declare that no Source NAT should be performed, e.g. if a server in your DMZ is configured with an external IP and you do not want its outgoing connections to have your RED IP as source. |
Enabled | - | Tick this checkbox if the rule should be applied. |
Remark | - | You can enter a short note here so you can later remember the purpose of this rule. |
Position | - | Here you can specify after which rule you want to insert this rule. |
To save the rule just click on the Save button.
Configuring an SMTP server running on IP 123.123.123.123 (assuming that 123.123.123.123 is an additional IP address of your uplink) in the DMZ with source NAT:
1. Configure your ORANGE zone as you like.
2. Setup the SMTP server to listen on port 25 on an IP in the ORANGE zone.
3. Add a static ethernet uplink with IP 123.123.123.123 to your Endian Firewall
in the Network, Interfaces section.
4. Add a source NAT rule and specify the ORANGE IP of the SMTP server as source address. Be sure to use NAT
and set the NATed source IP address to 123.123.123.123.
Select Firewall from the menu bar at the top of the screen, then select Outgoing traffic from the submenu on the left side of the screen.
Endian Firewall comes with a preconfigured set of rules, that allow outgoing traffic (i.e. "internet access") from the GREEN zone with regard to the most common services (HTTP, HTTPS, FTP, SMTP, POP, IMAP, POP3s, IMAPs, DNS, ping). All other services are blocked by default.
Likewise, access to HTTP, HTTPS, DNS and ping is allowed from the BLUE zone (WLAN) while only DNS and ping are allowed from the ORANGE zone (DMZ).
Everything else is forbidden by default.
In this section you can disable/enable, edit or delete rules by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom). You can also add your own rules by clicking on the Add a new firewall rule link at the top. Please consider that the order of rules is important: the first matching rule decides whether a packet is allowed or denied, no matter how many matching rules might follow. You can change the order of rules using the arrow down/up icons next to each rule.
A rule is defined by the following parameters:
Source | - | select a zone or interface, specify one or more network/host addresses or MAC addresses |
Destination | - | select the entire RED zone, one or more uplinks or one or more network/host addresses |
Service Port | - | the destination service: select a service name from the list or specify a protocol and one or more port numbers (1-65535) |
Action | - | what should be done with the packet: accept it, deny it (drop it without feedback to the sender) or reject it (let the sender know the firewall dropped the packet) |
Remark | - | a remark for you to remember the purpose of the firewall rule later |
Position | - | at what position in the list should the rule be inserted |
Enabled | - | check to enable this rule (default) |
Log all accepted packets | - | Log all accepted packets (does not include denied/rejected packets): this is off by default as it will create large volumes of log data |
After making changes to a rule, do not forget to click the Apply button on the top of the list!
At the bottom of the page you can also find the rules that are set automatically by
Endian Firewall depending on your configuration.
It is possible to disable or enable the whole outgoing firewall by using the
Enable Outgoing firewall toggle. When disabled, all outgoing
traffic is allowed (not recommended).
Select Firewall from the menu bar at the top of the screen, then select Inter-Zone traffic from the submenu on the left side of the screen.
This section allows you to set up rules that determine how traffic can flow between the different network zones, excluding the RED zone.
Endian Firewall comes with a simple set of preconfigured rules: traffic is allowed from the GREEN zone to any other zone (ORANGE and BLUE) and traffic is allowed within each zone.
Everything else is forbidden by default.
Analogous to the outgoing traffic firewall you can
disable/enable, edit or delete rules by clicking on the appropriate icon on the
right side of the table. You can also add your own rules by clicking on the
Add a new inter-zone firewall rule link at the top.
Please see the preceding section (Outgoing traffic)
for details about handling firewall rules.
The inter-zone firewall can be disabled/enabled as a whole using the Enable Inter-Zone firewall toggle. When disabled, all traffic is allowed between all zones other than the RED zone (not recommended).
Select Firewall from the menu bar at the top of the screen, then select VPN traffic from the submenu on the left side of the screen.
The VPN traffic firewall allows to add firewall rules applied to hosts that are connected via VPN.
The VPN traffic firewall is normally not active, which means traffic can flow freely between the VPN hosts and hosts in the GREEN zone and VPN hosts can access all other zones. Please note that VPN hosts are not subject to the outgoing traffic firewall or the Inter-Zone traffic firewall. If you need to limit access from or to VPN hosts you need to use the VPN traffic firewall.
The handling of the rules is identical to the outgoing traffic firewall.
Please refer to the Outgoing traffic section in this
chapter for details about handling firewall rules.
Select Firewall from the menu bar at the top of the screen, then select System access from the submenu on the left side of the screen.
In this section you can set up rules that grant or deny access to the Endian Firewall itself.
There is a list of preconfigured rules that cannot be changed. This is to guarantee the proper working of the firewall, since these rules are automatically created as they are required by the services the firewall provides. Click on the >> button labeled "Show rules of system services" to show these rules.
Click on the Add a new system access rule link to add your own custom rules here. The following parameters describe the rule:
Source address | - | specify one or more network/host addresses or MAC addresses |
Source interface | - | specify a zone or interface |
Service/Port | - | the destination service: select a service name from the list or specify a protocol and one or more port numbers (1-65535) |
Action | - | what should be done with the packet: accept it, deny it (drop it without feedback to the sender) or reject it (let the sender know the firewall dropped the packet) |
Remark | - | a remark for you to remember the purpose of the system access rule later |
Position | - | at what position in the list should the rule be inserted |
Enabled | - | check to enable rule (default) |
Log all accepted packets | - | Log all accepted packets (besides denied/rejected packets): this is off by default as it will create large volumes of log data |
Click the Add button to confirm your rule. You can then disable/enable, edit or delete each rule from the list of rules by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom).
After making changes or additions to your rule set, do not forget to click the Apply button on the top of the list!