Firewall
From Antcor
Contents |
Firewall
Firewall Chains
- Input firewall - All incoming traffic is tested against the input firewall rules prior to being accepted.
- Output firewall - All outgoing traffic is tested against the output firewall rules prior to being sent.
- Forwarding firewall - All traffic that is being forwarded through the operating system is tested against the forwarding firewall rules prior to being forwarded.
- Flowmark - All incoming traffic that matches the corresponding criterions is marked.
Configuring Firewall Rules
Rules are entries in a chain consisting of several fields (criteria) that can be used to match a data packet. If all criteria are met, the rule is matched and the packet leaves the chain, launching the action of the matching rule.
From the Firewall tab you can :
- Select Chains
- Set up Policy
- Add, delete and manage Firewall Rules and Flowmarks
- Write rules to the active list
- Refresh the displayed information
Before configuring a rule, you must Select Chain and set the Policy.
- Select Chain
- In the Select Chain drop down list, select Input, Output or Forward.
- Policy
- In the Policy drop down list, select Accept or Drop.
- ACCEPT - The packet will flow to the next chain, leaving the current chain at this rule (no further rules in this chain are further examined),
- DROP - The packet stops flowing, is discarded, without notifying the sender.
Configuring Firewall Basic Settings
Click the "+" button.The Firewall Rule Configuration for [chain type] Chain dialog box appears. This dialog box contains two tabs: Basic and Advanced.
Not Check Boxes
In both tabs, several fields have a Not check box beside them. The Not field inverts the matching operation, causing a match to occur if the opposite of the rule is matched. For example, Source IP: is configured with the specific IP address. When the adjacent check box is selected the rule will match all packets except the ones that have the specified Source IP address.
Basic Rule Settings
- Source IP
- The Source IP field displays the Source IP address of the packet. The address can be expressed as a single IP address (e.g. 192.168.1.1/32), or as a whole IP subnet (e.g. 192.168.1.0/24). A match occurs if the source IP of the packet is exactly the same or belongs to the subnet configured. Type the source IP address and number of subnet mask bits into the Source IP field.
- Destination IP
- The Destination IP field displays the Destination IP address of the packet. The address can be expressed as a single IP address (e.g. 192.168.1.1/32), or as a whole IP subnet (e.g. 192.168.1.0/24). A match occurs if the destination IP of the packet is exactly the same or belongs to the subnet configured.
- Type the destination IP address and number of subnet mask bits into the Destination IP field.
- Input Interface
- The Input Interface field displays the interface from which the packet was delivered. A match occurs if the interface that the packet arrived from is the same as the configured interface (if the configured interface is a bridge, this also matches with interfaces under the bridge).
- In the Input Interface drop down list, select a specific input interface, or select ANY.
- Output Interface
- The Output Interface field displays the interface from which the packet is to be transmitted. A match occurs if the interface that the packet will be transmitted from is the same with the configured interface (in case the configured interface is a bridge, this also matches with interfaces under the bridge).
- In the Output Interface drop down list, select a specificinput interface, or select ANY.
- Existing Flowmark
- The Existing Flowmark drop down list contains Flowmarks that already have been configured. Select a Flowmark from the list to configure a Flowmark as a firewall matching rule. A match occurs if the packet was marked by this mark when it flowed through the Flowmark chain.
- New Flowmark
- The New Flowmark field is available if Mark is selected in the Action field. Type the name of the new flowmark in the New Flowmark box.
- Action
- When a rule is matched, its action is performed. Firewall actions can be:
- ACCEPT - The packet will flow to the next chain, leaving the current chain at this rule (no further rules in this chain are further examined),
- REJECT - The packet stops flowing, is discarded, and a return ICMP packet (reason code UNREACHABLE) is sent back to the sender.
- DROP - The packet stops flowing, is discarded, without notifying the sender.
- FORWARD - (currently not in use)
- MARK - The packet will flow to the next chain, leaving the current chain at this rule (no further rules in this chain are further examined). It will be marked as New Flowmark.
- Comment - The Comment field is used to enter a string consisting of at most 30 characters to describe the rule. This field is not used for matching.
Configuring Firewall Advanced Settings Protocol
Protocol
The Protocol drop down list contains a list of protocols that can be selected for matching. The contents of the dialog box changes depending on the protocol selected. The following selections may be configured in this field:
- ALL – A match always occurs.
- TCP – A match occurs if
- The packet’s protocol type is TCP
- and
- The SYN flag of the packet matches based on which of the following is selected in the SYN flag drop down list:
- ALL - matches always.
- SET - A match occurs if the packet starts a new connection.
- NOT SET - A match occurs if the packet is a member of a previously started connection.
- and
- Source Port - Source port is entered as number (0-65535) where 0 indicates that all ports are matched.
- Destination Port - Destination port is entered as number (0-65535) where 0 indicates that all ports are matched.
- The packet’s protocol type is TCP
- UDP – A match occurs if
- The packet’s protocol type is UDP
- and
- Source Port - Source port is entered as number (0-65535) where 0 indicates that all ports are matched.
- Destination Port - Destination port is entered as number (0-65535) where 0 indicates that all ports are matched.
- The packet’s protocol type is UDP
- ICMP – A match occurs if
- The packet’s protocol type is ICMP
- and
- The ICMP Type matches based on which of the following is selected in the ICMP Type drop down list:
- ANY: A match occurs always
- REQUEST: A match occurs if the packet is an ICMP request.
- RESPONSE: A match occurs if the packet is an ICMP response.
- The packet’s protocol type is ICMP
- GRE – A match occurs if the packet’s protocol type is GRE (Generic Routing Encapsulation)
- ESP - A match occurs if the packet’s protocol type is ESP
- AH – A match occurs if the packet’s protocol type is AH
Connection State
Ikarus can perform firewall functions based on the connection state. The following selections may be configured in this field:
- New - A match occurs if the packet starts a new connection (router has seen packets in one direction).
- Established - A match occurs if the packet is a member of an existing connection (router has seen packets in both directions).
- Related - A match occurs if the packet starts a new connection, but is also a member of an existing connection (router has seen packets in both directions).
- Invalid - A match occurs if the packet is not a member of an existing connection, but also it does not start a connection (ambiguous packet).
Source MAC
A match occurs if the packet’s Source MAC address (in the Ethernet header) is the same as the address in this field. Type the Source MAC address in the Source MAC field
Limit The Limit fields contain settings related to the rate at which the packet is arriving.
- Limit Rate - A match occurs if the configured rate has not been reached yet.
- Limit Burst - A match occurs if the configured burst rate has not been reached yet.
