notempty
notempty
notempty Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!
notempty
Der Artikel für die neueste Version steht hier
Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Reseller-Preview bezieht
Implied rules of the UTM
Last adaptation to the version: 12.7.0
New:
- Rule groups are displayed in tiles
This article refers to a Resellerpreview
Implied rules
Settings in menu .
Implied rules have been added for certain use cases. These rules can be easily activated or deactivated by the user as needed. Some of these rules are already active by default.
The access zones are not relevant for these rules.
| Group | Rule | Description | Protocol | Port | Active (Default) |
|---|---|---|---|---|---|
| BlockChain | Activates / deactivates the entire group | ||||
| FailToBan_ssh | Access via ssh.Monitoring with Fail2Ban rules. Wiki article | TCP | 22 | On | |
| FailToBan_http_admin | Access via the Admin Interface. Monitoring with Fail2Ban rules. Wiki article | TCP | 11115* | On | |
| FailToBan_http_user | Access via the User interface. Monitoring with Fail2Ban rules. Wiki article | TCP | 443* | On | |
| FailToBan_smtp | Access via the Mailgateway. Monitoring with Fail2Ban rules. Wiki article | TCP | 25* | On | |
| CaptivePortal | Enable redirection of traffic to a landingpage | ||||
| CaptivePortalPage | Opens an incoming port on the corresponding interface of the firewall that is intended for the captive portal to display the landingpage. | TCP | 8085* | Off | |
| CaptivePortalRedirection | Redirection of traffic to the above mentioned port. | Off | |||
| IPComp | |||||
| IPComp | Accepts connections with IPComp protocol (compression of data packets, IP protocol number 108) | IPComp | Off | ||
| IpsecTraffic | Activates / deactivates the entire group | ||||
| Accept | Accepts incoming and outgoing traffic of an IPSec connection. | On | |||
| No NAT for IPSec connections | Takes all IPSec connections from the NAT |
Off | |||
| Silent Services Accept | Bootp | Accepts
|
UDP | 67 | |
| 68 | |||||
| Silent Services Drop | |||||
| NetBios Datagram | Discards these packages without log message | UDP | 138 | On | |
| NetBios Nameservice | Discards these packages without log message | UDP | 137 | On | |
| NetBios Session Service | Discards these packages without log message | UDP | 139 | On | |
| VPN | |||||
| IPSec IKE | Accepts connections on port 500/UDP | UDP | 500 | On | |
| IPSec ESP | Accepts connections with the ESP protocol (50) | ESP | On | ||
| IPSec NAT Traversal | Accepts connections on port 4500/UDP | UDP | 4500 | On | |
| SSL VPN UDP | Accepts connections on ports for which an SSL VPN instance has been configured with the UDP protocol | UDP | 1194 | On | |
| SSL VPN TCP | Accepts connections on ports for which an SSL VPN instance has been configured with the TCP protocol | TCP | 1194 | On | |
| User Interface Portal | Accepts connections on port 443/TCP. Required for the user interface. | TCP | 443 | On | |
| Wireguard | Enables connections with the Wireguard protocol. | UDP | 51280* | On |
GeoIP | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnFirewall  GeoIP
|
|---|---|---|---|
GeoIP |
Activation status of the rules within the tile | ||
| IPGeoBlockingSrc | On | Activates the GeoIP settings for rejected sources | |
| IPGeoBlockingDst | On | Activates the GeoIP settings for rejected destinations | |
Sources
| |||
| System-wide dropped sources: | BX (random example) | In the click box, countries can be selected that are to be blocked as sources. | |
| Group: | All | Selection from preset groups, which selects e.g. all countries of a continent. | |
| Add | Adds the regions from the selected group | ||
| Remove | Removes the regions from the selected group | ||
| Exceptions: | IP address | Exceptions for system-wide rejected sources can be defined here. | |
Destinations
| |||
| System-wide dropped destinations: | BX (random example) | In the click box, countries can be selected that are to be blocked as targets. This prevents access via browsers as well as, for example, downloaded malicious code. | |
| Exceptions: | IP address | Exceptions for system-wide rejected destinations can be defined here. | |