The Firewall Menu

Select Firewall from the menu bar at the top of the screen.

This section allows setting up the rules that specify if and how IP traffic flows through your Endian UTM Appliance. Following is a list of links that appear in the submenu on the left side of the screen:

  • Port forwarding / NAT - configure port forwarding and NAT (network address translation)
  • Outgoing traffic - allow or disallow outgoing (towards RED) traffic - settings are per zone, host, port, etc.
  • Inter-Zone traffic - allow or disallow traffic between zones
  • VPN traffic - specify whether hosts connecting through a VPN should be firewalled
  • System access - grant access to the Endian UTM Appliance host itself

Each of these subsections will be explained individually in the following chapters.

Port forwarding / NAT

Select Firewall from the menu bar at the top of the screen, then select Port forwarding / NAT from the submenu on the left side of the screen.

Destination NAT

Changed in version 2.3.

Destination NAT is usually used to allow limited network access from an untrusted network or to map certain ports to another address. It is possible to define which port on which interface should be forwarded to a given host and port.

Source
In this field you can specify whether destination NAT should be performed on all outgoing connections that are initiated from any source, an interface or uplink, an IP address or by a VPN user. If you choose Zone/VPN/Uplink you can select the source zone, uplink or interface to which this rule should be applied. If you choose Network/IP/Range you must enter IP or network addresses into the textarea below (one address per line). If you choose OpenVPN User you can select the users you want from the multiselection field below.
Target
In this field you can specify whether destination NAT should be performed on all outgoing connections that are going to an interface or uplink, an IP address or a VPN user. If you choose Zone/VPN/Uplink you can select the destination zone, uplink or interface to which this rule shoud be applied. If you choose Network/IP/Range you must enter IP or network addresses into the textarea below (one address per line). If you choose OpenVPN User you can select the users you want from the multiselection field below.
Filter policy
Here you can specify what to do with packets that match the current rule. Valid options are Allow with IPS, Allow, Drop and Reject.
Service/Port
This consists of two fields. You can choose a pre-defined Service or can select a Protocol: TCP, UDP, GRE (generic routing encapsulation - used by tunnels). If you choose TCP, UDP or TCP+UDP you can also enter a target port or a target port range.
Translate to
With these four fields you can specify how to translate the destination. In the Type field you can specify whether to forward to a single IP, to an OpenVPN User, to perform Load Balancing or to map the network. Depending on your selection additional targets are shown. If you do not select Map network you can also explicitly define not to perform network address translation in the DNAT policy field. This can be useful if you want to do NAT for all addresses in a subnet but one.
Enabled
Check to enable rule (default)
Log
Log all packets that match this rule
Remark
A remark for you to remember the purpose of the forward rule later
Position
Choose in which position this rule should be saved.

Click the Create Rule button to confirm your rule. You can then disable/enable, edit or delete each rule from the list by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom).

After making changes or additions to your rule set, do not forget to click the Apply button on the top of the screen!

Warning

When selecting IP, OpenVPN User or Load balancing as the Translate to Type you must keep in mind that the ports will not be mapped 1:1 but a round robin balancing is performed. Therefore mapping destination ports 137:139 to destination ports 137:139 will result in these ports being used randomly. Leave the translation Port/Range field empty in this case!

Note

The Map network translation statically maps a whole network of addresses onto another network of addresses. This can be useful for companies whose subsidiaries all use the same internal network. In this case all these networks can be connected to each other through network mapping.

An example would be:

original network 1: 192.168.0.0/24
mapped   network 1: 192.168.1.0/24
original network 2: 192.168.0.0/24
mapped   network 2: 192.168.1.1/24

Source NAT

In this section you can define to which outgoing connections source network address translation (Source NAT) should be applied. Source NAT can be useful if a server behind your Endian UTM Appliance has its own external IP and outgoing packets should therefore not use the RED IP address of the firewall. Adding Source NAT rules is similar to adding port forwarding rules. The following options are available:

Source
In this field you can specify whether outgoing connections that are initiated from a network or IP address, or connections initiated by a VPN user should be Source NATed. If you choose the first Type you must then enter IP or network addresses into the textarea below (one address per line). If you choose the second Type you can select the users you want from the multiselection field below.
Destination
In this field you can specify whether connections to a Zone/VPN/Uplink, to a Network/IP or to a User should be NATed. If you choose the first Type you must then select a zone, a VPN or an uplink from the multiselection field below. If you choose the second Type you must enter IP or network addresses into the textarea below (one address per line). If you choose the third Type you can select the users you want from the multiselection field below.
Service/Port
Here you can specify the service that should be NATed. In the Service selectbox you can select pre-defined values for different protocols. If you want to specifiy a service yourself you must select the protocol in the Protocol selectbox and, should you want to add a port as well, enter the destination ports into the Destination port textarea (one port per line).
NAT

Here you can choose whether you want to apply Source NAT or not. If you choose to use source network address translation you can select the IP address that should be used. The Auto entries will automatically choose the IP address depending on the outgoing interface.

New in version 2.3.

When choosing the MAP Network option here all IPs from the source subnet will be statically mapped to another network of the same size.

In certain cases you may want to explicitly declare that no Source NAT should be performed, e.g. if a server in your DMZ is configured with an external IP and you do not want its outgoing connections to have your RED IP as source.

Enabled
Tick this checkbox if the rule should be applied.
Remark
You can enter a short note here so you can later remember the purpose of this rule.
Position
Here you can specify after which rule you want to insert this rule.

To save the rule just click on the Save button.

Configuring an SMTP server running on IP 123.123.123.123 (assuming that 123.123.123.123 is an additional IP address of your uplink) in the DMZ with source NAT:

  1. Configure your ORANGE zone as you like.
  2. Setup the SMTP server to listen on port 25 on an IP in the ORANGE zone.
  3. Add a static ethernet uplink with IP 123.123.123.123 to your Endian UTM Appliance in the Network, Interfaces section.
  4. Add a source NAT rule and specify the ORANGE IP of the SMTP server as source address. Be sure to use NAT and set the NATed source IP address to 123.123.123.123.

Incoming routed traffic

New in version 2.3.

With this module you can redirect traffic that has been routed through your Endian UTM Appliance. This is very useful if you have more than one external IP address and want to use some of them in your DMZ without having to use NAT.

Source
In this field you can specify whether this rule should match all traffic coming from an untrusted site (<RED>), traffic from an Uplink you select or traffic coming from a Network/IP you specify.
Target
In this field you can specify whether this rule should match <ANY> traffic, traffic to a zone you select or traffic to certain Network/IP addresses you specify.
Service/Port
This consists of two fields. You can choose a pre-defined Service or can select a Protocol: TCP, UDP, GRE (generic routing encapsulation - used by tunnels). If you choose TCP, UDP or TCP+UDP you can also enter a target port or a target port range.
Action
Here you can specify what to do with packets that match the current rule. Valid options are Allow with IPS, Allow, Drop and Reject.
Enabled
Check to enable rule (default).
Log all accepted packets
Log all packets that match this rule.
Remark
A remark for you to remember the purpose of the forward rule later.
Position
Choose in which position this rule should be saved.

Click the Create Rule button to confirm your rule. You can then disable/enable, edit or delete each rule from the list by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom).

After making changes or additions to your rule set, do not forget to click the Apply button on the top of the screen!

Outgoing traffic

Select Firewall from the menu bar at the top of the screen, then select Outgoing traffic from the submenu on the left side of the screen. Endian UTM Appliance comes with a preconfigured set of rules, that allow outgoing traffic (i.e. “internet access”) from the GREEN zone with regard to the most common services (HTTP, HTTPS, FTP, SMTP, POP, IMAP, POP3s, IMAPs, DNS, ping). All other services are blocked by default.

Likewise, access to HTTP, HTTPS, DNS and ping is allowed from the BLUE zone (WLAN) while only DNS and ping are allowed from the ORANGE zone (DMZ).

Everything else is forbidden by default.

In this section you can disable/enable, edit or delete rules by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom). You can also add your own rules by clicking on the Add a new firewall rule link at the top. Please consider that the order of rules is important: the first matching rule decides whether a packet is allowed or denied, no matter how many matching rules might follow. You can change the order of rules using the arrow down/up icons next to each rule.

A rule is defined by the following parameters:

Source
select a zone or interface, specify one or more network/host addresses or MAC addresses
Destination
select the entire RED zone, one or more uplinks or one or more network/host addresses
Service Port
the destination service: select a service name from the list or specify a protocol and one or more port numbers (1-65535)
Action
What should be done with the packet: ALLOW with IPS will send the packet to the Intrusion Prevention System for inspection, ALLOW will always accept the packet, DENY will drop it without feedback to the sender while REJECT will let the sender know that the firewall dropped the packet.
Remark
A remark for you to remember the purpose of the firewall rule later.
Position
At what position in the list should the rule be inserted.
Enabled
Check to enable this rule (default).
Log all accepted packets
Log all accepted packets (does not include denied/rejected packets): this is off by default as it will create large volumes of log data.

After making changes to a rule, do not forget to click the Apply button on the top of the list!

At the bottom of the page you can also find the rules that are set automatically by Endian UTM Appliance depending on your configuration. It is possible to disable or enable the whole outgoing firewall by using the Enable Outgoing firewall toggle. When disabled, all outgoing traffic is allowed (not recommended).

Inter-Zone traffic

Select Firewall from the menu bar at the top of the screen, then select Inter-Zone traffic from the submenu on the left side of the screen.

This section allows you to set up rules that determine how traffic can flow between the different network zones, excluding the RED zone. Endian UTM Appliance comes with a simple set of preconfigured rules: traffic is allowed from the GREEN zone to any other zone (ORANGE and BLUE) and traffic is allowed within each zone.

Everything else is forbidden by default.

Analogous to the outgoing traffic firewall you can disable/enable, edit or delete rules by clicking on the appropriate icon on the right side of the table. You can also add your own rules by clicking on the Add a new inter-zone firewall rule link at the top. Please see the preceding section (Outgoing traffic) for details about handling firewall rules.

The inter-zone firewall can be disabled/enabled as a whole using the Enable Inter-Zone firewall toggle. When disabled, all traffic is allowed between all zones other than the RED zone (not recommended).

VPN traffic

Select Firewall from the menu bar at the top of the screen, then select VPN traffic from the submenu on the left side of the screen.

The VPN traffic firewall allows to add firewall rules applied to hosts that are connected via VPN.

The VPN traffic firewall is normally not active, which means traffic can flow freely between the VPN hosts and hosts in the GREEN zone and VPN hosts can access all other zones. Please note that VPN hosts are not subject to the outgoing traffic firewall or the Inter-Zone traffic firewall. If you need to limit access from or to VPN hosts you need to use the VPN traffic firewall.

The handling of the rules is identical to the outgoing traffic firewall. Please refer to the Outgoing traffic section in this chapter for details about handling firewall rules.

System access

Select Firewall from the menu bar at the top of the screen, then select System access from the submenu on the left side of the screen.

In this section you can set up rules that grant or deny access to the Endian UTM Appliance itself.

There is a list of preconfigured rules that cannot be changed. This is to guarantee the proper working of the firewall, since these rules are automatically created as they are required by the services the firewall provides. Click on the >> button labeled “Show rules of system services” to show these rules.

Click on the Add a new system access rule link to add your own custom rules here. The following parameters describe the rule:

Source address
specify one or more network/host addresses or MAC addresses
Source interface
specify a zone or interface
Service/Port
the destination service: select a service name from the list or specify a protocol and one or more port numbers (1-65535)
Action
what should be done with the packet: accept it, deny it (drop it without feedback to the sender) or reject it (let the sender know the firewall dropped the packet)
Remark
a remark for you to remember the purpose of the system access rule later
Position
at what position in the list should the rule be inserted
Enabled
check to enable rule (default)
Log all accepted packets
Log all accepted packets (besides denied/rejected packets): this is off by default as it will create large volumes of log data

Click the Add button to confirm your rule. You can then disable/enable, edit or delete each rule from the list of rules by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom).

After making changes or additions to your rule set, do not forget to click the Apply button on the top of the list!

Firewall Diagrams

On this page you can find a list of all firewall modules. For each of the modules a diagram has been created for better understanding.

By clicking on a diagram a bigger version will appear.