Packetfilter

notempty

Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty

Der Artikel für die neueste Version steht hier

notempty

Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Beta-Version bezieht

.

Creating and using packet filter rules, network objects, services and time profiles

Last adaptation to the version: 14.0.1 (01.2025)

New:

Cloud-verwaltete Paketfilterregeln und Netzwerkobjekte
Autogenerierte Regeln lassen sich bearbeiten
Tabellen-Menü zur Layoutanpassung
Neues Attribut Log Alias (v14.0)
Buttons for log access (v14.0)

notempty

This article refers to a Beta version

12.7.1.1 12.6 12.4 12.2 12.1 11.7

The port filter was renamed the packet filter in version 12.6, which corresponds much better to its mode of operation.
The function and arrangement in the menu has remained identical.

In version 12.7.1.1, iptables temporarily becomes the default rule engine again.
For test purposes, iptables can be replaced by nftables.

Nftables offers more flexibility and more up-to-date kernel support and was developed as a replacement for iptables.
system rule_engine set value "nftables"
or
system rule_engine set value "iptables"

Packet filter Description

Packet filter UTMuser@firewall.name.fqdnFirewall Packet filter Log Update Rules The packet filter controls the data traffic that passes through the UTM.

All network packets that pass through the UTM are filtered and only forwarded based on packet filter rules.
Thereby, it is irrelevant whether the destination address and source address of the packet are in the same network, in another, local network or in the Internet and a local network.
Based on the source IP, destination IP and service used, the rules are checked from top to bottom.
The sequential number before a rule # indicates the order of rulecreation and is permanently retained. It does not indicate the order in which the rule is processed!
A rule that has been created can be subsequently moved in the order by holding down the mouse button on the icon .

If an exception is to be created for a rule, the (more specific) exception must first be defined and only then the more general rule.
If the exception rule applies to a package, the specified action is carried out and the packet filter is terminated.
If the exception rule does not apply, the more general rule is then checked.
If this rule then applies, the action specified there is executed.

If no applicable rule exists for a data packet, the packet is discarded Default Drop

A packet filter rule contains several elements:

Two Network Objects (source / destination).
One Service
if applicable, details of the NAT type (Network Address Translation)
if applicable, Rule Routing
If applicable, a QoS Profile that regulates the bandwidth made available for certain data packets.
if applicable, a Time Profile at which the rule is to be applied
an Action that is to be executed
details of the Logging
the assignment to a Rule Group

Packet filter rule

The basic structure of a rule is :
Source → Target → Service → Action
With copy rulesrules can be copied. The Add Rule dialogue opens with a copy of the respective rule.
Logging can be changed directly in the overview for individual rules or rule groups (see section Logging

) and notempty
New from v14.0:
with the button Packetfilter Log for the individual rules or with Packetfilter Log for all rules.

Logging is based on the log attribute and not on the ID, which is not guaranteed to be unique and may therefore result in incorrectly displayed logging entries.

Typical examples:	#	Source	Destination	Service	NAT	Logging	Action	Cloud	Active
The Internet should be accessible from the internal network	7	internal-network	internet	default-internet	HN	-	Accept		On

The dmz1 network should be accessible for all services from the internal network.	8	internal-network	dmz1-network	any		-	Accept		On

A server in the internal network is to be accessible from outside via ssh	9	internet	internal-network	ssh	DN ➞	3/Min	Accept		On

The Internet should be accessible from the internal network, but no ftp should be enabled!	10	internal-network	internet	ftp		3/Min	Drop		On
	7	internal-network	internet	default-internet	HN	All	Accept		On
The packet filter is processed from top to bottom. If a rule applies, the check of the set of rules is terminated and the configured action is executed. Therefore, the prohibition of ftp must be before the general permission rule. A rule that has been created can be moved to the icon with drag and drop and placed specifically in the order.

Wenn eine Regel über die VPN Konfiguration erstellt wurde, wird dies in der Spalte Cloud-verwaltet mit gezeigt. Diese Regeln können nicht kopiert, bearbeitet oder gelöscht werden.		LG2-internal-networks	vpn-netzwerk	default-internet		-	ACCEPT		On
		vpn-netzwerk	LG2-internal-networks	LG2-any-service		-	ACCEPT		On

Autogenerated rules

autogenerated The UTM has autogenerated rules ex works.
These rules initially allow all data traffic into the existing networks and also release the proxy and DNS services of the respective interface for internal networks

notempty

Diese Regeln dienen ausschließlich dazu, die Inbetriebnahme der Firewall zu ermöglichen.
Sie müssen unbedingt angepasst oder durch individualisierte Regeln ersetzt werden!

notempty

New as of v14.0.1: Autogenerierte Regeln lassen sich bearbeiten

The visibility of the autogenerated rules can be controlled in the drop-down menu with this switch: On Show auto-generated rules Default

Packet filter Rule Settings

notempty

After editing or adding a rule, the rulebook must be updated.
Only after that will the rules be applied!
/ Add Rule → Update Rules

notempty New as of v14.0 In dem Tabellen-Menü () lässt sich das Layout der Tabelle anpassen. Mehr Informationen sind hier zu finden.
General General
Caption	Value	Description	Add Rule UTMuser@firewall.name.fqdnFirewallPacket filter Regel Assistent Packet filter rule settings General
Active:	On	Only when activated is this rule checked
Source:	internal-network	Network object or user group that is permitted as the source of the data package.
Destination:	internet	Network object or user group that is permitted as the destination of the data packet.
Service:	default-internet	Desired service with stored port (see tab Services)
Netzwerkobjekt add / Dienst add		Adds a network object or service
Switch network object		Exchanges the network objects Source and Destination
Action: Action	ACCEPT	ACCEPT Forwards the package
	DROP	DROP The package is dropped
	REJECT	REJECT An ICMP packet is sent to the sender indicating that the port is not available. In the LAN, reject rules can prevent clients from having to wait for a timeout.
	QOS	QOS Allows you to specify a Quality of Service profile that limits the bandwidth for data packets to which this rule applies. Configuration of the QoS profiles in the Network QoS Area Profile menu.
	STATELESS	STATELESS Allows connections regardless of status
Group:	default	Packet filter rules must be assigned to a group. This makes it easier to keep track when adding to the set of rules. In addition, rule groups can be activated or deactivated with a switch notempty New as of v12.7.0 and the logging settings of all rules contained can be adjusted centrally via a button.

Log Log
Logging: Logging		Specifies how extensively the application of the rule is logged. notempty New as of v12.7.0 This setting is also available in the packet filter overview for individual filters as well as complete groups.	Packet filter rule settings Log
	None	No logging (default)
	Short	Logs the first entries per minute
	Long	Logs all entries
Log Alias: Log Alias notempty New as of v14.0	default	Kurzer (maximal 10 Zeichen langer) Alias für die Paketfilterregel, der im Log statt der Id angezeigt wird. Der Alias muss nicht für diese Regel einzigartig sein.

NAT [ - ] NAT	Network Address Translation is the conversion of IP addresses used in a network to another IP address from another network. Typically, all internally used private IP addresses are mapped to one or more public IP addresses.
Type:	NONE	No NAT is performed
	FULLCONENAT	With Full Cone NAT, the same port is set for the sender as for the recipient. However, IPs other than the originally addressed IP are also permitted as senders. This can be helpful with VOIP.	Full Cone NAT
	HIDENAT	Also called Source NAT. Hides the original IP address behind the IP address of the interface used. The standard case is data traffic from an internal network with private IP addresses to the Internet. The IP from the local network is masked with the IP of the interface that establishes access to the Internet.	HideNat
	HIDENAT_EXCLUDE	HideNAT Exclude is usually used in connection with IPSec VPN connections. This ensures that data packets for the VPN remote terminal are routed through the VPN tunnel with the private IP address. Otherwise, these would be masked with the public WAN IP address like all other packets in the direction of the Internet and, since they are sent with a private destination address, would be discarded at the next Internet router. See also the Wiki article HideNAT Exclude. The HideNAT-Exclude rule must come before the HideNAT rule for the exception to apply.	HideNAT Exclude HideNAT Exclude Regel vor HideNAT Regel
	DESTNAT	Destination NAT is usually used to offer several services on different servers under one public IP address. For example, if you want to access the SSH service (port 22) of the server (198.51.100.1/32) from the Internet via the public IP address of the eth0 interface with port 10000, the rule would have to be created as shown opposite. The associated network objects and the service on port 10000 must be created for this.	Destination NAT
	NETMAP	NetMap is used to connect two identical subnets with each other. Using auxiliary networks (mapnet), which are not set up on either of the remote sites to be connected, these connections can be created collision-free without completely changing the subnet on either side. Instructions for connecting two networks can be found in a dedicated Wiki article NetMap	NetMap

Network object:	external-interface	The IP address of this network object is then used as the sender IP of the data packets in the target network. As a rule, this should be the interface whose IP address is known to the target network so that reply packets can also be correctly delivered.
Service:	ssh	Uses the selected service in the local destination network. This value is often (but by no means always) identical with the service above it in the data source package for which the rule is checked. Only available when Type is selected as DESTNAT or NETMAP.
Extras [ - ] Extras
Rule Routing Rule Routing	wan0	In the [ - ] Extras section, the Rule Routing field is used to specify, based on rules, which route IP packets should take. In the example opposite, all VOIP packets are routed via the wan0 interface. The drop-down field only provides wan interfaces for selection. If access to the Internet is via a router connected to an ethernet interface, this can be entered manually.	Packet filter rule with rule routing
QoS QOS	QOS	Allows you to specify a Quality of Service profile that limits the bandwidth for data packets to which this rule applies. Configuration of the QoS profiles in the Network QoS Area Profile menu. Only available when QOS is selected as Action .
Time profile	Time profile	Restricts the validity of the rule to a previously defined time profile. See section Time Profiles.

Description	Show extended rule info On	Alternative text that can be displayed instead of the rule details. The alternative texts are displayed with the button	Packet filter UTMuser@firewall.name.fqdnFirewall Update Rules Rule description in plain text
notempty After editing or adding a rule, the rulebook must be updated. Only after that will the rules be applied! / Add Rule → Update Rules

Network objects

Menu under Firewall Network objects
button	Description	Network objects UTMuser@firewall.name.fqdnFirewall Update Rules Tab Network Objects
Edit	Opens the network group or network object for editing
Delete	Deletes the network group or network object. The deletion must be confirmed once again For GeoIP network objects, after confirmation, deletes all GeoIP network objects with the same prefix
Add group	Creates a new network group to which network objects can be added immediately
	Show GeoIP objects On When disabled Off: Hides GeoIP objects to improve readability.
Network objects contain : a name an address (IP or network), a hostname or an interface and a zone. Network objects are mainly needed to create packet filter rules, but they are also used in the HTTP proxy. The members of a network group are displayed as labels. Click on a label to display the details in the ‘'Network objects’' table. notempty v14.0 If there are network objects that were created via the USC, the Cloud-managed column shows whether these are such objects or locally created objects . Cloud-managed objects must be edited in the Cloud under Unified Network Consoleconfig .

Edit / Add Network Groups Edit / Add Network Groups Menu under Firewall Network Objects button + Add Group
Caption	Value	Description	Edit / Add Network Groups UTMuser@firewall.name.fqdnFirewallNetwork objects Edit / create network group dialog
Name:	Geo-DACH	Freely selectable name for the network group
Network objects:	GEOIP: AT (Austria) GEOIP: CH (Switzerland) GEOIP: DE (Germany)	Existing network objects can be added in the click box
	Opens the dialog for adding another network object
✕	Removes a network object from the network group

Create / Add network objects Edit / Add Network Objects
Caption	Value	Description	Add network objects UTMuser@firewall.name.fqdnFirewallNetwork objects Create / Add network objects
Name:	Host-Objekt	Freely selectable name for the network object. OK - not really free: Even if it should be technically possible, refrain from using cryptic special characters such as curly brackets, backslashes and similar. At the latest in an AD environment, such things may lead to problems.
Type:	The type determines how the affiliation to this network object is determined.
	Host	A single host with an IP address e.g. 192.0.2.192/32 → 192.0.2.192/---
	Network (address)	A complete network, e.g. 192.0.2.0/24 A 24 network is entered as default. However, this can be changed as desired.
	Network (address with custom mask)	Network with any subnet mask. This is useful when the prefix may change. (Example: 192.0.2.0/0.255.255.0 oder 2001:DB8::1234/::FFFF:FFFF)
	Network (interface)	A complete network behind an interface e.g. eth0 Attention: With HideNat, only the first IP lying on this interface is used. When using with HideNat, try to use a network address.
	VPN-Host	A single VPN host with an IP address, e.g. 192.0.2.192/32 → 192.0.2.192/--- Only zones that have a flag Policy_IPSEC or PPP_VPN in the zone management ( Network Zone Settings button w) can be selected as zones for these network objects.
	VPN network	A complete VPN network, e.g. 192.0.2.0/24 A 24 network is entered as default. However, this can be changed as desired.
	Static interface	A configured IP address of an interface can be selected from a drop-down menu, e.g. 192.0.2.1/24
	Dynamic interface	A dynamic assignment of the address of the interface based on the assigned zone. E.G.: 0.0.0.0/. oder eth0
	Hostname	A host name, e.g.: my.host.local
	GeoIP	Creates a network object in the specified zone for each country. IP addresses are assigned to a country via organizations and institutions to which the associated IP networks are assigned. The actual location of a host may differ from the assignment or may not be visible, e.g. due to a VPN tunnel! Adding a network object of type GeoIP creates approx. 250 new network objects!
Address:	192.0.2.192	Depending on the type selected. See above.
Interface: For type only Network (interface) orDynamic interface	LAN1	All hosts behind this interface belong to this network object
IP address: For type only Static interface	192.168.175.1	All hosts behind the interface with this IP address belong to this network object
Hostname: For type only Hostname	my.host.local	Hostname of the network object
Prefix: For type only GeoIP	ext2_	Prefix placed in front of the network objects (for better identification) Example_ Prefix ext2_ → Network object ext2_GEOIP:DE
Zone:	Zone	Zone in which the network object is located. By linking an object in the set of rules with the interface via the zone, it is achieved that a packet filter rule only takes effect if not only the source, destination and service match the rule, but the connection is also made via the correct interfaces. This prevents all attacks that involve IP spoofing. The assignment of an object to an interface is done by binding the zone to the interface on the one hand and the assignment of the network object to a zone on the other. Depending on the selected network type, a zone is already suggested or a restriction of the zone selection is made.
Groups:	»internal-networks	Network objects can be grouped together to assign packet filter rules to multiple objects. notempty Network objects can also belong to several groups. This can lead to contradictory rules for the same network object that are not immediately obvious. As with all rules, the rule that is executed first is the one whose network group contains the network object.
Save		Saves the network object, but leaves the dialogue open to be able to create further objects.
Save and close		Saves the network object and closes the dialogue

Services

Menu call:

notempty

New as of v12.7.2:

All ICMP services are available for IPv4 and IPv6. The IPv6 services start with icmpv6- instead of icmp-.

Services UTMuser@firewall.name.fqdnFirewall Menu Services

Add / edit services

If a service does not exist, it can be created with Add object.
Depending on the protocol used, further settings can be made:

Ports (TCP and UDP)
Packet types (ICMP)
Protocol type (gre)

The name of the service and the protocol must be specified in each case.

With the tcp and udp protocols, sharing can be restricted to a single destination port or port ranges. Source ports can be any (None), a single port or a port range.

If an existing service is to run on a different port, the service can be edited and the port changed.

Service groups

Services can be grouped together in service groups. Here, too, there are already predefined groups that can be added to and changed. Detailed display by clicking on the button .

notempty

Updated to v12.7.2:

The Windows domain service group has been expanded.

Services:

domain-tcp Destination ports: 53

domain-udp Destination ports: 53

ldap-tcp Destination ports: 389

ldap-udp Destination ports: 389

ldap-ssl Destination ports: 636

ms-ds Destination ports: 445

netbios-tcp Destination ports: 139

netbios-udpDestination ports: 137:138

netbios-rpc Destination ports: 135

w32time Destination ports: 123

kerberos-tcp Destination ports: 88

kerberos-udp Destination ports: 88

kerberos-password-change-tcp Destination ports: 464

kerberos-password-change-udp Destination ports: 464

ldap-gc Destination ports: 3268

ldap-gc-ssl Destination ports: 3269

The changes only take effect with a new installation, current configurations are not changed.

notempty

New from v12.7.2:

There is a service group called sp-backup that enables the use of Securepoint Unified Backups.

Services:

sp-backup-portal Destination ports: 8086:8087

sp-backup-vault Destination ports: 2546

Example: The group default-internet contains, for example, the services:

Icon	Name	Protocol		Edit service group UTMuser@firewall.name.fqdnFirewallServices
	domain-udp	udp	Port 53
	ftp	tcp (ftp)	Port 21
	http	tcp	Port 80
	https	tcp	Port 443
	icmp-echo-req	icmp	Pakettyp 8

Add/remove service from a service group

Clicking in the click box selects the desired service and thereby adds it.
Clicking the button creates a new service and then adds it to the service group.
A service is removed from the service group by clicking on ✕.

Time profiles

Time profiles UTMuser@firewall.name.fqdnFirewall Update rules Time profiles overview Time profiles are used to activate packet filter rules only at specified times. They can be configured under Firewall Time profiles
In the example shown, the profile applies daily between 3:00 am and 3:59:59 am and on weekdays from 7:00 am to 5:59:59 pm. This can be seen in the table under time window. Under Used in packet filter rules, the IDs are listed together with the descriptions of the packet filters for which this time profile is set up. The packet filter can also be edited by clicking on the corresponding entry. The Name column shows an assigned name that should describe the time profile.

Create time profiles

Add time profile UTMuser@firewall.name.fqdnFirewallTime profiles Add time profile

Create a time profile under Firewall Time profiles button Add time profile.
Select times
- Individual fields or time ranges can be selected by clicking the mouse
- Several fields and time ranges can be selected by holding down the mouse button
Accept the time settings with the button Save and close

Use time profiles

Time profiles can be selected under the

Extras

section when creating or editing packet filter rules.

notempty

Eine Beschreibung der Impliziten Regeln ist hier zu finden.

Packet filter Description

Packet filter rule

Autogenerated rules

Packet filter Rule Settings

General

Action

Log

Logging

Log Alias

NAT

Extras

Rule Routing

QoS

Network objects

Edit / Add Network Groups

Create / Add network objects

Services

Add / edit services

Service groups

Time profiles

Create time profiles

Use time profiles