Implied rules

notempty

Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty

Der Artikel für die neueste Version steht hier

notempty

Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Beta-Version bezieht

Implied rules of the UTM

Last adaptation to the version: 12.4

New:

GeoIP now has its own tab
In the GeoIP settings there are now preset groups

notempty

This article refers to a Beta version

12.2 12.1 11.7

Implied rules

Settings in menu → Firewall →Implied rules.
Implied rules have been added for certain use cases. These rules can be easily activated or deactivated by the user as needed. Some of these rules are already active by default.

The access zones are not relevant for these rules.

Group	Rule	Description	Protocol	Port	Active (default setting)
BlockChain		Activates / deactivates the entire group			On
	FailToBan_ssh	Access via ssh.Monitoring with Fail2Ban rules. Configuration at → Applications →IDS / IPS Wiki article	TCP	22	On
	FailToBan_http_admin	Access via the Admin Interface. Monitoring with Fail2Ban rules. Configuration at → Applications →IDS / IPS Wiki article Port changes possible at → Network →Appliance Settings	TCP	11115*	On
	FailToBan_http_user	Access via the User interface. Monitoring with Fail2Ban rules. Configuration at → Applications →IDS / IPS Wiki article Port changes possible at → Network →Appliance Settings	TCP	443*	On
	FailToBan_smtp	Access via the Mailgateway. Monitoring with Fail2Ban rules. Configuration at → Applications →IDS / IPS Wiki article Port changes possible at → Applications →MailrelayTab Smarthost	TCP	25*	On
CaptivePortal		Enable redirection of traffic to a landingpage			Off
	CaptivePortalPage	Opens an incoming port on the corresponding interface of the firewall that is intended for the captive portal to display the landingpage. Port changes possible at → Applications →Captive PortalTab Advanced	TCP	8085*	Off
	CaptivePortalRedirection	Redirection of traffic to the above mentioned port.			Off
IPComp	IPComp	Accepts connections with IPComp protocol (compression of data packets, IP protocol number 108)	IPComp		Off
IpsecTraffic		Activates / deactivates the entire group			Off
	Accept	Accepts incoming and outgoing traffic of an IPSec connection.			On
	No NAT for IPSec connections	Takes all IPSec connections from the NAT I.e.: In the default state, IPSec connections are also natted.			Off
Silent Services Accept	Bootp	Accepts Requests for the bootstrap protocol Bootp to transmit an IP address and possibly further parameters. Requests for DHCP (extension of Bootp)	UDP	67	On
				68

Silent Services Drop	NetBios Datagram	Discards these packages without log message	UDP	138	On
	NetBios Nameservice	Discards these packages without log message	UDP	137	On
	NetBios Session Service	Discards these packages without log message	UDP	139	On
VPN	IPSec IKE	Accepts connections on port 500/UDP	UDP	500	On
	IPSec ESP	Accepts connections with the ESP protocol (50)	ESP		On
	IPSec NAT Traversal	Accepts connections on port 4500/UDP	UDP	4500	On
	SSL VPN UDP	Accepts connections on ports for which an SSL VPN instance has been configured with the UDP protocol	UDP	1194	On
	SSL VPN TCP	Accepts connections on ports for which an SSL VPN instance has been configured with the TCP protocol	TCP	1194	On
	User Interface Portal	Accepts connections on port 443/TCP. Required for the user interface.	TCP	443	Off
	Wireguard	Enables connections with the Wireguard protocol. Port changes possible at → VPN →WireGuard Button edit connection	UDP	51280*	Off

System-wide blocking
notempty Appeal Moved and layout updated to v14.0.1 Under Applications IDS/IPS Area Systemweite Sperrungen you can block IP addresses system-wide. Individual IP addresses or entire GeoIP groups can be blocked as sources and/or destinations. notempty These settings apply system-wide in all zones and are applied before the packet filter rules!
Caption	Value	Description	Implied Rules UTMuser@firewall.name.fqdnFirewall Configuration for system-wide locks
IP addresses IP addresses notempty New as of v14.0.1
Reject source addresses system-wide:	Yes	Activates the rejection of IP addresses as sources
Reject destination addresses system-wide:	Yes	Activates the rejection of IP addresses as destinations
IP addresses:	»203.0.113.13	IP addresses that are blocked system-wide on all interfaces This appears in the log under All packet filter messages e.g: ulgogd REJECT: IPBlockingList_RejectSrc Only individual IP addresses, not a range, can be blocked
GeoIP sources GeoIP sources
Reject GeoIP sources system-wide:	On	Activates the GeoIP settings for rejected sources
System-wide dropped sources:	»BX (random example)	In the click box, countries can be selected that are to be blocked as sources.
Group:	All	Selection from preset groups, which selects e.g. all countries of a continent.
	Add	Adds the regions from the selected group
	Remove	Removes the regions from the selected group
Exceptions:	»IP address	Exceptions for system-wide rejected sources can be defined here.
GeoIP Targets GeoIP Targets
Reject GeoIP targets system-wide:	On	Activates the GeoIP settings for rejected destinations
System-wide dropped destinations:	BX (random example)	In the click box, countries can be selected that are to be blocked as targets. This prevents access via browsers as well as, for example, downloaded malicious code.
Group:	All	Selection from preset groups, which selects e.g. all countries of a continent.
	Add	Adds the regions from the selected group
	Remove	Removes the regions from the selected group
Exceptions:	IP address	Exceptions for system-wide rejected destinations can be defined here.

Implied rules

System-wide blocking

IP addresses

GeoIP sources

GeoIP Targets