Creating and using packet filter rules, network objects, services and time profiles
Last adaptation to the version: 12.6.0
New:
- Updated to Redesign of the webinterface
The function and arrangement in the menu has remained identical.
Packet filter Description
UTMuser@firewall.name.fqdnFirewall 
The packet filter controls the data traffic that passes through the UTM.
- All network packets that pass through the UTM are filtered and only forwarded based on packet filter rules.
- Thereby, it is irrelevant whether the destination address and source address of the packet are in the same network, in another, local network or in the Internet and a local network.
- Based on the source IP, destination IP and service used, the rules are checked from top to bottom.
The sequential number before a rule # indicates the order of rulecreation and is permanently retained. It does not indicate the order in which the rule is processed! - A rule that has been created can be subsequently moved in the order by holding down the mouse button on the icon
.
If the exception rule applies to a package, the specified action is carried out and the packet filter is terminated.
If the exception rule does not apply, the more general rule is then checked.
If this rule then applies, the action specified there is executed.
- Two Network Objects (source / destination).
- One Service
- if applicable, details of the NAT type (Network Address Translation)
- if applicable, Rule Routing
- If applicable, a QoS Profile that regulates the bandwidth made available for certain data packets.
- if applicable, a Time Profile at which the rule is to be applied
- an Action that is to be executed
- details of the Logging
- the assignment to a Rule Group
Packet filter rule
The basic structure of a rule is :
Source → Target → Service → Action
With copy rulesrules can be copied. The Add Rule dialogue opens with a copy of the respective rule.
| Typical examples: | # | Source | Destination | Service | NAT | Action | Active | ||
| The Internet should be accessible from the internal network |  |
7 |  internal-network |
 internet |
 default-internet |
HN | Accept | On | |
| The dmz1 network should be accessible for all services from the internal network. | |
8 | internal-network |
dmz1-network |
 any |
Accept | On | ||
| A server in the internal network is to be accessible from outside via ssh | |
9 | internet |
internal-network |
 ssh |
DN ➞ | Accept | On | |
| The Internet should be accessible from the internal network, but no ftp should be enabled! with drag and drop and placed specifically in the order. |
|
10 | internal-network |
internet |
ftp |
Drop | On | ||
|
7 | internal-network |
internet |
default-internet |
HN | Accept | On | ||
Autogenerated rules
autogenerated
The UTM has autogenerated rules ex works.
These rules initially allow all data traffic into the existing networks and also release the proxy and DNS services of the respective interface for internal networks
These rules are used exclusively to enable the commissioning of the firewall
They cannot be edited and must be replaced strictly by individualized rules and have to be deactivated or deleted afterwards!
They cannot be edited and must be replaced strictly by individualized rules and have to be deactivated or deleted afterwards!
The visibility of the autogenerated rules can be controlled in the drop-down menu with this switch: On Show auto-generated rules Default
Packet filter Rule Settings
Packetfilter rules settings
notempty
After editing or adding a rule, the rulebook must be updated.
Only after that will the rules be applied!
/ →
Only after that will the rules be applied!
/ →
General
| |||
| Caption | Value | Description | |
|---|---|---|---|
| Active: | On | Only when activated is this rule checked | |
| Source: | internal-network |
Network object or user group that is permitted as the source of the data package. | |
| Destination: | internet |
Network object or user group that is permitted as the destination of the data packet. | |
| Service: | default-internet |
Desired service with stored port (see tab Services) | |
| Netzwerkobjekt add / Dienst add | Adds a network object or service | ||
| Switch network object | Exchanges the network objects Source and Destination | ||
| Action: | ACCEPT Forwards the package | ||
| DROP The package is dropped | |||
| REJECT An ICMP packet is sent to the sender indicating that the port is not available. In the LAN, reject rules can prevent clients from having to wait for a timeout. | |||
| QOS Allows you to specify a Quality of Service profile that limits the bandwidth for data packets to which this rule applies. Configuration of the QoS profiles in the Area Profile menu. | |||
| STATELESS Allows connections regardless of status | |||
| Logging: | No logging (default) | ||
| Logs the first entries per minute | |||
| Logs all entries | |||
| Group: | Packet filter rules must be assigned to a group. This facilitates clarity when adding to the set of rules. In addition, rule groups can be activated or deactivated with a switch. | ||
NAT
|
Network Address Translation is the conversion of IP addresses used in a network to another IP address from another network. Typically, all internally used private IP addresses are mapped to one or more public IP addresses. | ||
| Type: | No NAT is performed | ||
| Also called Source NAT. Hides the original IP address behind the IP address of the interface used. The standard case is data traffic from an internal network with private IP addresses to the Internet. |
UTMuser@firewall.name.fqdnFirewallPacket filter  HideNat Rule
| ||
| Destination NAT is usually used to offer several services on different servers under one public IP address. For example, if you want to access the SSH service (port 22) of the server (198.51.100.1/32) from the Internet via the public IP address of the eth0 interface with port 10000, the rule would have to be created as shown opposite. The associated network objects and the service on port 10000 must be created for this. |
 | ||
| HideNAT Exclude is usually used in connection with IPSec VPN connections. This ensures that data packets for the VPN remote terminal are routed through the VPN tunnel with the private IP address. Otherwise, these would be masked with the public WAN IP address like all other packets in the direction of the Internet and, since they are sent with a private destination address, would be discarded at the next Internet router. See also the Wiki article HideNAT Exclude.  |
 | ||
| NetMap is used to connect two identical subnets with each other. Using auxiliary networks (mapnet), which are not set up on either of the remote sites to be connected, these connections can be created collision-free without completely changing the subnet on either side. Instructions for connecting two networks can be found in a dedicated Wiki article NetMap |
 | ||
| With Full Cone NAT, the same port is set for the sender as for the recipient. However, IPs other than the originally addressed IP are also permitted as senders. This can be helpful with VOIP. |  | ||
| Network object: |  external-interface
|
The IP address of this network object is then used as the sender IP of the data packets in the target network. As a rule, this should be the interface whose IP address is known to the target network so that reply packets can also be correctly delivered. | |
| Service: | ssh
|
Uses the selected service in the local destination network. This value is often (but by no means always) identical with the service above it in the data source package for which the rule is checked. Type is selected as or . | |
Extras
| |||
| Rule Routing | wan0 | In the [ - ] Extras section, the Rule Routing field is used to specify, based on rules, which route IP packets should take.In the example opposite, all VOIP packets are routed via the wan0 interface. If access to the Internet is via a router connected to an ethernet interface, this can be entered manually. |
UTMuser@firewall.name.fqdnFirewallPacket filter  Packet filter rule with rule routing
|
| QOS | Allows you to specify a Quality of Service profile that limits the bandwidth for data packets to which this rule applies. Configuration of the QoS profiles in the Area Profile menu. Action . | ||
| Time profile | Restricts the validity of the rule to a previously defined time profile. See section Time Profiles. | ||
Description
|
Show extended rule info On | Alternative text that can be displayed instead of the rule details. The alternative texts are displayed with the button |
 |
notempty After editing or adding a rule, the rulebook must be updated.
Only after that will the rules be applied! / → | |||
Network objects
| Button | Description | UTMuser@firewall.name.fqdnFirewall Datei:UTM v12.6 Paketfilter Netzwerkobjekte-en.pngTab Network Objects |
|---|---|---|
| Edit | Opens the network group or network object for editing | |
| Delete | Deletes the network group or network object. The deletion must be confirmed once again | |
| Creates a new network group to which network objects can be added immediately | ||
| Show GeoIP objects On When disabled Off: Hides GeoIP objects to improve readability. | ||
Network objects include :
Network objects are mainly used to create packet filter rules, but they are also used in the HTTP proxy. | ||
Edit / Add Network Groups Edit / Add Network Groups
Menu under Button | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnFirewallNetwork objects  Edit / create network group dialog
|
|---|---|---|---|
| Name: | Geo-DACH | Freely selectable name for the network group | |
| Network objects: | × GEOIP: AT (Austria) × GEOIP: CH (Switzerland) × GEOIP: DE (Germany) |
Existing network objects can be added in the click box | |
| Opens the dialog for adding another network object | |||
| ✕ | Removes a network object from the network group | ||
Create / Add network objects Edit / Add Network Objects
Button | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnFirewallNetwork objects  Create / Add network objects
|
| Name: | Host-Objekt | Freely selectable name for the network object. OK - not really free: Even if it should be technically possible, refrain from using cryptic special characters such as curly brackets, backslashes and similar. At the latest in an AD environment, such things may lead to problems. | |
| Type: | The type determines how the affiliation to this network object is determined. | ||
| A single host with an IP address e.g. 192.0.2.192/32 → | |||
| A complete network, e.g. 192.0.2.0/24 A 24 network is entered as default. However, this can be changed as desired. | |||
| Network with any subnet mask. This is useful when the prefix may change. (Example: 192.0.2.0/0.255.255.0 oder 2001:DB8::1234/::FFFF:FFFF) | |||
| A complete network behind an interface e.g. When using with HideNat, try to use a network address. | |||
| A single VPN host with an IP address, e.g. 192.0.2.192/32 → | |||
| A complete VPN network, e.g. 192.0.2.0/24 A 24 network is entered as default. However, this can be changed as desired. | |||
| A configured IP address of an interface can be selected from a drop-down menu, e.g. | |||
| A dynamic assignment of the address of the interface based on the assigned zone. E.G.: oder | |||
| A host name, e.g.: my.host.local | |||
| Creates a network object in the specified zone for each country. IP addresses are assigned to a country via organizations and institutions to which the associated IP networks are assigned. The actual location of a host may differ from the assignment or may not be visible, e.g. due to a VPN tunnel! | |||
| Address: | 192.0.2.192 | Depending on the type selected. See above. | |
| Interface: For type only or |
All hosts behind this interface belong to this network object | ||
| IP address: For type only |
All hosts behind the interface with this IP address belong to this network object | ||
| Hostname: For type only |
my.host.local | Hostname of the network object | |
| Prefix: For type only |
ext2_ | Prefix placed in front of the network objects (for better identification) Example_ Prefix ext2_ → Network object ext2_GEOIP:DE
| |
| Zone: | Zone in which the network object is located. By linking an object in the set of rules with the interface via the zone, it is achieved that a packet filter rule only takes effect if not only the source, destination and service match the rule, but the connection is also made via the correct interfaces. This prevents all attacks that involve IP spoofing. The assignment of an object to an interface is done by binding the zone to the interface on the one hand and the assignment of the network object to a zone on the other. | ||
| Groups: | » ✕internal-networks | Network objects can be grouped together to assign packet filter rules to multiple objects. notempty Network objects can also belong to several groups.
This can lead to contradictory rules for the same network object that are not immediately obvious. As with all rules, the rule that is executed first is the one whose network group contains the network object. | |
| Save | Saves the network object, but leaves the dialogue open to be able to create further objects. | ||
| Save and close | Saves the network object and closes the dialogue | ||
Services
Menu Dienste
Services define the protocol used and, if applicable, the protocol type, the port or port range or the ICMP message type of the data packets to be filtered. Many services are already preconfigured such as http, https, ftp, ssh, etc. The services of a service group are displayed as labels. Clicking on a label displays the details of the service in the service tab.
Add / edit services
Add / edit services
If a service does not exist, it can be created with .
Depending on the protocol used, further settings can be made:
- Ports (TCP and UDP)
- Packet types (ICMP)
- Protocol type (gre)
UTMuser@firewall.name.fqdnFirewallServices 
The name of the service and the protocol must be specified in each case.
UTMuser@firewall.name.fqdnFirewallServices 
With the tcp and udp protocols, sharing can be restricted to a single destination port or port ranges. Source ports can be any (None), a single port or a port range.
UTMuser@firewall.name.fqdnFirewallServices 
If an existing service is to run on a different port, the service can be edited and the port changed.
Service groups
Service groups
Services can be grouped together in service groups. Here, too, there are already predefined groups that can be added to and changed. Detailed display by clicking on the button .
Example: The group default-internet contains, for example, the services:
| Icon | Name | Protocol | UTMuser@firewall.name.fqdnFirewallServices 
| |
|---|---|---|---|---|
 |
domain-udp | udp | Port 53 | |
|
ftp | tcp (ftp) | Port 21 | |
|
http | tcp | Port 80 | |
|
https | tcp | Port 443 | |
 |
icmp-echo-req | icmp | Pakettyp 8 | |
Add/remove service from a service group
- Clicking in the click box selects the desired service and thereby adds it.
- Clicking the button creates a new service and then adds it to the service group.
- A service is removed from the service group by clicking on ✕.
Time profiles
UTMuser@firewall.name.fqdnFirewallTime profiles 
Add time profile
Time profiles are used to activate packet filter rules only at specified times.
In the example shown, the profile takes effect between 3:00 a.m. and 3:59:59 p.m. daily and from 7:00 a.m. to 5:59:59 p.m. on weekdays.
Create time profiles
- Create a time profile under Button .
- Select times
- Individual fields or time ranges can be selected by clicking the mouse
- Several fields and time ranges can be selected by holding down the mouse button
- Accept the time settings with the button Save and close
Use time profiles
Time profiles can be selected under the
Extras
section when creating or editing packet filter rules.