Portfilter

This can lead to contradictory rules for the same network object that are not immediately obvious. 
As with all rules, the rule that is executed first is the one whose network group contains the network object. }}

Menü Portfilter

Creating and using port filter rules, network objects, services and time profiles

Last adaptation to the version: 12.1 04.2021

New:

• New network types:
  • network (address with any subnet mask)
  • hostname
• A network object can belong to several groups
• Layout adjustment

Previous versions: 11.7

Port filter Description

The port filter controls the data traffic that passes through the UTM.

• All network packets that pass through the UTM are filtered and only forwarded based on port filter rules.

• Thereby it is irrelevant whether the destination address and source address of the packet are in the same network, in another, local network or in the Internet and a local network.

• Based on the source IP, destination IP and service used, the rules are checked from top to bottom.
  The sequential number before a rule # indicates the order of rulecreation and is permanently retained. It does not indicate the order in which the rule is processed!

• A rule that has been created can be subsequently moved in the order by holding down the mouse button on the icon .

A port filter rule contains several elements:

• Two Network Objects (source / destination).
• One Service
• if applicable, details of the NAT type (Network Address Translation)
• if applicable, Rule Routing
• If applicable, a QoS Profile that regulates the bandwidth made available for certain data packets.
• if applicable, a Time Profile at which the rule is to be applied
• an Action that is to be executed
• details of the Logging
• the assignment to a Rule Group

Port filter rule

The basic structure of a rule is :
Source → Target → Service → Action
Typical examples:

		#	Source	Destination	Service	NAT	Action	Active
The Internet should be accessible from the internal network		7	internal-network	internet	default-internet	HN	Accept	On
The dmz1 network should be accessible for all services from the internal network.		8	internal-network	dmz1-network	any		Accept	On
A server in the internal network is to be accessible from outside via ssh		9	internet	internal-network	ssh	DN ➞	Accept	On
The Internet should be accessible from the internal network, but no ftp should be enabled! The port filter is processed from top to bottom. If a rule applies, the check of the set of rules is terminated and the configured action is executed. Therefore, the prohibition of ftp must be before the general permission rule. A rule that has been created can be moved to the icon with drag and drop and placed specifically in the order.		10	internal-network	internet	ftp		Drop	On
		7	internal-network	internet	default-internet	HN	Accept	On

Autogenerated rules

Port Filter Rule Settings

Caption	Value	Description
Active	On	Only when activated is this rule checked
Action	ACCEPT	ACCEPT Forwards the package
	DROP	DROP The package is dropped
	REJECT	REJECT An ICMP packet is sent to the sender indicating that the port is not available. In the LAN, reject rules can prevent clients from having to wait for a timeout.
	QOS	QOS Allows you to specify a Quality of Service profile in the Extras / QOS section that limits the bandwidth for data packets to which this rule applies. Configuration of the QoS profiles in the → Network →QoSTab Profile menu.
	STATELESS	STATELESS Allows connections regardless of status
Logging	None	No logging (default)
	Short	Logs the first entries per minute
	Long	Logs all entries
Group	default	Port filter rules must be assigned to a group. This facilitates clarity when adding to the set of rules. In addition, rule groups can be activated or deactivated with a switch.
Source	internal-network	Network object or user group that is permitted as the source of the data package.
Destination	internet	Network object or user group that is permitted as the destination of the data packet.
NAT NAT	Network Address Translation is the conversion of IP addresses used in a network to another IP address from another network. Typically, all internally used private IP addresses are mapped to one or more public IP addresses.
	Hide NAT Type Hide NAT	Also called Source NAT. Hides the original IP address behind the IP address of the interface used. The standard case is data traffic from an internal network with private IP addresses to the Internet. The IP from the local network is masked with the IP of the interface that establishes access to the Internet.	HideNat Rule
	Dest. NAT Type Dest. NAT	Destination NAT is usually used to offer several services on different servers under one public IP address. For example, if you want to access the SSH service (port 22) of the server (198.51.100.1/32) from the Internet via the public IP address of the eth0 interface with port 10000, the rule would have to be created as shown opposite. The associated network objects and the service on port 10000 must be created for this.	Destination NAT Rule
	HideNAT Exclude Type HideNAT Exclude	HideNAT Exclude is usually used in connection with IPSec VPN connections. This ensures that data packets for the VPN remote terminal are routed through the VPN tunnel with the private IP address. Otherwise, these would be masked with the public WAN IP address like all other packets in the direction of the Internet and, since they are sent with a private destination address, would be discarded at the next Internet router. See also the Wiki article Hidenat Exclude. The HideNAT-Exclude rule must come before the HideNAT rule for the exception to apply.	HidNAT Exclude Rule
	NetMap Type NetMap	NetMap is used to connect two identical subnets with each other. Using auxiliary networks (mapnet), which are not set up on either of the remote sites to be connected, these connections can be created collision-free without completely changing the subnet on either side. Instructions for connecting two networks can be found in a dedicated Wiki article NetMap	NetMap Rule
	Full Cone NAT Type Full Cone NAT	With Full Cone NAT, the same port is set for the sender as for the recipient. However, IPs other than the originally addressed IP are also permitted as senders. This can be helpful with VOIP.	Full Cone NAT Rule
	Network object external-interface	The IP address of this network object is then used as the sender IP of the data packets in the target network. As a rule, this should be the interface whose IP address is known to the target network so that reply packets can also be correctly delivered.
	Service ssh	Uses the selected service in the local destination network. This value is often (but by no means always) identical with the service above it in the data source package for which the rule is checked. Only available when Type is selected as DESTNAT or NETMAP.
Extras
Rule Routing Rule Routing	eth2	In the [-] Extras section, the Rule Routing field is used to specify, based on rules, which route IP packets should take. In the example opposite, all VOIP packets are routed via the eth2 interface. The drop-down field only provides wan interfaces for selection. If access to the Internet is via a router connected to an ethernet interface, this can be entered manually.
QOS QOS	QOS	Allows you to specify a Quality of Service profile in the Extras / QOS section that limits the bandwidth for data packets to which this rule applies. Configuration of the QoS profiles in the → Network →QoSTab Profile menu. Only available when QOS is selected as Action .
Time profile Time profile	Time profile	Restricts the validity of the rule to a previously defined time profile. See section Time Profiles.
Description Description	Rule description	Alternative text that can be displayed instead of the rule details. The alternative texts are displayed with the button

After editing or adding a rule, the rulebook must be updated.
Only after that will the rules be applied!
/ Add Rule → Update Rules

Network objects

Network objects include

• a name
• an address (IP or network)
• and a zone.

Network objects are mainly used to create port filter rules, but they are also used in the HTTP proxy.

Create network objects

→ Firewall →PortfilterTab Network Objects Button Add Object

Caption	Value	Description
Name	Hostname	Freely selectable name for the network object. OK - not really free: Even if it should be technically possible, refrain from using cryptic special characters such as curly brackets, backslashes and similar. At the latest in an AD environment, such things may lead to problems.	Create network objects
Type	The type determines how the affiliation to this network object is determined.
	Host	A single host with an IP address e.g. 192.0.2.192/32 → 192.0.2.192/---
	Network (address)	A complete network, e.g. 192.0.2.0/24 A 24 network is entered as default. However, this can be changed as desired.
	Network (address with custom mask)	ab v12 Network with any subnet mask. This is useful when the prefix may change. (Example: 192.0.2.0/0.255.255.0 oder 2001:DB8::1234/::FFFF:FFFF) → 192.0.2.0
	Network(interface)	A complete network behind an interface e.g. eth0 Attention: With HideNat, only the first IP lying on this interface is used. When using with HideNat, try to use a network address.
	VPN-Host	A single VPN host with an IP address, e.g. 192.0.2.192/32 → 192.0.2.192/---  Only zones that have a flag Policy_IPSEC or PPP_VPN in the zone management (→ Network →Zone Settings Button w) can be selected as zones for these network objects.
	VPN network	A complete VPN network, e.g. 192.0.2.0/24 A 24 network is entered as default. However, this can be changed as desired.
	Static interface	A configured IP address of an interface can be selected from a drop-down menu, e.g. 192.0.2.1/24
	Dynamic interface	A dynamic assignment of the address of the interface based on the assigned zone. E.G.: 0.0.0.0/. oder eth0
	Hostname	ab v12 A host name, e.g.: my.host.local
Address:	192.0.2.192	Depending on the type selected. See above.
Zone	Zone	Zone in which the network object is located. By linking an object in the set of rules with the interface via the zone, it is achieved that a port filter rule only takes effect if not only the source, destination and service match the rule, but the connection is also made via the correct interfaces. This prevents all attacks that involve IP spoofing. The assignment of an object to an interface is done by binding the zone to the interface on the one hand and the assignment of the network object to a zone on the other.    Depending on the selected network type, a zone is already suggested or a restriction of the zone selection is made.
Groups	» ✕internal-networks	Network objects can be grouped together to assign port filter rules to multiple objects. 12 Network objects can also belong to several groups. {Note
Save		Saves the network object, but leaves the dialogue open to be able to create further objects.
Save and close		Saves the network object and closes the dialogue

Services

Services define the protocol used and, if applicable, the port or port range of the data packets to be filtered. Many services are already preconfigured such as http, https, ftp, ssh, etc.

Add / edit service

If a service does not exist, it can be created with Add object.
Depending on the protocol used, further settings can be made:

• Ports (TCP and UDP)
• Packet types (ICMP)
• Protocol type (gre)

The name of the service and the protocol must be specified in each case.

With the tcp and udp protocols, sharing can be restricted to a single destination port or port ranges. Source ports can be any (None), a single port or a port range.

If an existing service is to run on a different port, the service can be edited and the port changed.

Service groups

Services can be grouped together in service groups. Here, too, there are already predefined groups that can be added to and changed. Detailed display by clicking on the folder symbol .
Example: The group default-internet contains, for example, the services:

Icon	Name	Protocol
	domain-udp	udp	Port 53
	ftp	tcp (ftp)	Port 21
	http	tcp	Port 80
	https	tcp	Port 443
	icmp-echo-req	icmp	Pakettyp 8

Add/remove service from a service group

• Wird auf der linken Seite eine Dienstgruppe markiert, kann ein Dienst mit der Plus-Schaltfläche der Dienstgruppe hinzugefügt werden.
• Wird eine Dienstgruppe durch Klick auf das Ordnersymbol geöffnet, kann ein Dienst mit Klick auf die Minus-Schaltfläche entfernt werden.

Time profiles

Time profiles

Time profiles are used to activate port filter rules only at specified times. In the example shown, the profile takes effect between 3:00 a.m. and 3:59:59 p.m. daily and from 7:00 a.m. to 5:59:59 p.m. on weekdays.

Create time profiles

• Create a time profile with the Add time profile button.
• Select times
  • with the Ctrl key and mouse click for a single field or
  • with the Shift (Shift) key and mouse click for a time range.
• Apply the time settings with the Save button.

Use time profiles

Time profiles are stored in the port filter rules around section

.