Jump to:navigation, search
Wiki

Die Seite Vorlage:Ui-icon.css hat keinen Inhalt.




























De.png
Fr.png


Creating and using port filter rules, network objects, services and time profiles


Last adaptation to the version: 12.1 04.2021

New:


Previous versions: 11.7


Port filter Description

The port filter controls the data traffic that passes through the UTM.

  • All network packets that pass through the UTM are filtered and only forwarded based on port filter rules.
  • Thereby it is irrelevant whether the destination address and source address of the packet are in the same network, in another, local network or in the Internet and a local network.
  • Based on the source IP, destination IP and service used, the rules are checked from top to bottom.
    The sequential number before a rule # indicates the order of rulecreation and is permanently retained. It does not indicate the order in which the rule is processed!
  • A rule that has been created can be subsequently moved in the order by holding down the mouse button on the icon Dragndrop.png.
  • If an exception is to be created for a rule, the (more specific) exception must first be defined and only then the more general rule.
    If the exception rule applies to a package, the specified action is carried out and the port filter is terminated.
    If the exception rule does not apply, the more general rule is then checked.
    If this rule then applies, the action specified there is executed.
  • If no applicable rule exists for a data packet, the packet is discarded Default Drop
  • A port filter rule contains several elements:


    Port filter rule

    The basic structure of a rule is :
    Source → Target → Service → Action
    Typical examples:

    # Source Destination Service NAT Action Active
    The Internet should be accessible from the internal network Dragndrop.png 7 Network.svg internal-network World.svg internet Service-group.svg default-internet HN Accept On
    The dmz1 network should be accessible for all services from the internal network. Dragndrop.png 8 Network.svg internal-network Network.svg dmz1-network Other.svg any Accept On
    A server in the internal network is to be accessible from outside via ssh Dragndrop.png 9 World.svg internet Network.svg internal-network Tcp.svg ssh DN ➞ Accept On
    The Internet should be accessible from the internal network, but no ftp should be enabled!
  • The port filter is processed from top to bottom. If a rule applies, the check of the set of rules is terminated and the configured action is executed. Therefore, the prohibition of ftp must be before the general permission rule. A rule that has been created can be moved to the icon Dragndrop.png with drag and drop and placed specifically in the order.
  • Dragndrop.png 10 Network.svg internal-network World.svg internet Tcp.svg ftp Drop On
    Dragndrop.png 7 Network.svg internal-network World.svg internet Service-group.svg default-internet HN Accept On

    Autogenerated rules

    autogenerated The UTM has autogenerated rules ex works. These rules initially allow all data traffic into the existing networks and also release the proxy and DNS services of the respective interface for internal networks

    These rules are used exclusively to enable the commissioning of the firewall
    They cannot be edited and must be replaced strictly by individualised rules and have to be deactivated or deleted afterwards!

    Autogenerated rules can be hidden from the drop-down menu with this button: Onhide autogenerated rules

    Port Filter Rule Settings

    After editing or adding a rule, the rulebook must be updated.
    Only after that will the rules be applied!
    / Add Rule Update Rules

    caption: value: Description:
    ╭╴Active╶╮ On Only when activated is this rule checked
    ╭╴Action╶╮ ACCEPT ACCEPT Forwards the package
    DROP DROP The package is dropped
    REJECT REJECT An ICMP packet is sent to the sender indicating that the port is not available. In the LAN, reject rules can prevent clients from having to wait for a timeout.
    QOS QOS Allows you to specify a Quality of Service profile in the ╭╴Extras╶╮ / ╭╴QOS╶╮ section that limits the bandwidth for data packets to which this rule applies.
    Configuration of the QoS profiles in the → Network →QoSTab Profile menu.
    STATELESS STATELESS Allows connections regardless of status
    ╭╴Logging╶╮ None No logging (default)
    Short Logs the first entries per minute
    Long Logs all entries
    ╭╴Group╶╮ default Port filter rules must be assigned to a group. This facilitates clarity when adding to the set of rules. In addition, rule groups can be activated or deactivated with a switch.
    ╭╴Source╶╮ Network.svg internal-network Network object or user group that is permitted as the source of the data package.
    ╭╴Destination╶╮ World.svg internet Network object or user group that is permitted as the destination of the data packet.
    NAT
    ╭╴NAT╶╮
    Network Address Translation is the conversion of IP addresses used in a network to another IP address from another network. Typically, all internally used private IP addresses are mapped to one or more public IP addresses.
    Hide NAT
    ╭╴Type╶╮
    Hide NAT
    Also called Source NAT. Hides the original IP address behind the IP address of the interface used.

    The standard case is data traffic from an internal network with private IP addresses to the Internet.
    The IP from the local network is masked with the IP of the interface that establishes access to the Internet.

    UTM v12.1 Portfilter Hidenat-Regel-en.png
    HideNat Rule
    Dest. NAT
    ╭╴Type╶╮
    Dest. NAT
    Destination NAT is usually used to offer several services on different servers under one public IP address.

    For example, if you want to access the SSH service (port 22) of the server (198.51.100.1/32) from the Internet via the public IP address of the eth0 interface with port 10000, the rule would have to be created as shown opposite.
    The associated network objects and the service on port 10000 must be created for this.

    UTM v12.1 Portfilter Destnat-Regel-en.png
    Destination NAT Rule
    HideNAT Exclude
    ╭╴Type╶╮
    HideNAT Exclude
    HideNAT Exclude is usually used in connection with IPSec VPN connections.
    This ensures that data packets for the VPN remote terminal are routed through the VPN tunnel with the private IP address. Otherwise, these would be masked with the public WAN IP address like all other packets in the direction of the Internet and, since they are sent with a private destination address, would be discarded at the next Internet router.
    See also the Wiki article Hidenat Exclude.
  • The HideNAT-Exclude rule must come before the HideNAT rule for the exception to apply.
  • UTM v12.1 Portfilter Hidenat Exclude-Regelübersicht-en.png
    UTM v12.1 Portfilter Hidenat Exclude-Regel-en.png
    HidNAT Exclude Rule
    NetMap
    ╭╴Type╶╮
    NetMap
    NetMap is used to connect two identical subnets with each other.

    Using auxiliary networks (mapnet), which are not set up on either of the remote sites to be connected, these connections can be created collision-free without completely changing the subnet on either side. Instructions for connecting two networks can be found in a dedicated Wiki article NetMap

    UTM v12.1 Portfilter NetMap-Regel-en.png
    NetMap Rule
    Full Cone NAT
    ╭╴Type╶╮
    Full Cone NAT
    With Full Cone NAT, the same port is set for the sender as for the recipient. However, IPs other than the originally addressed IP are also permitted as senders. This can be helpful with VOIP. UTM v12.1 Portfilter FullconeNat-Regel-en.png
    Full Cone NAT Rule
    ╭╴Network object╶╮
    external-interface
    The IP address of this network object is then used as the sender IP of the data packets in the target network.
    As a rule, this should be the interface whose IP address is known to the target network so that reply packets can also be correctly delivered.
    ╭╴Service╶╮
    ssh
    Uses the selected service in the local destination network. This value is often (but by no means always) identical with the service above it in the data source package for which the rule is checked.
  • Only available when ╭╴Type╶╮ is selected as DESTNAT or NETMAP.
  • ╭╴Extras╶╮
    Rule Routing
    ╭╴Rule Routing╶╮
    eth2 In the ╭╴[-] Extras╶╮ section, the ╭╴Rule Routing╶╮ field is used to specify, based on rules, which route IP packets should take.
    In the example opposite, all VOIP packets are routed via the eth2 interface.
  • The drop-down field only provides wan interfaces for selection.
    If access to the Internet is via a router connected to an ethernet interface, this can be entered manually.
  • UTM v12.1 Portfilter Rule Routing-en.png
    QOS
    ╭╴QOS╶╮
    QOS Allows you to specify a Quality of Service profile in the ╭╴Extras╶╮ / ╭╴QOS╶╮ section that limits the bandwidth for data packets to which this rule applies.
    Configuration of the QoS profiles in the → Network →QoSTab Profile menu.
  • Only available when QOS is selected as ╭╴Action╶╮.
  • Time profile
    ╭╴Time profile╶╮
    Time profile Restricts the validity of the rule to a previously defined time profile.
    See section Time Profiles.
    Description
    ╭╴Description╶╮
    Rule description Alternative text that can be displayed instead of the rule details.
    The alternative texts are displayed with the button
    UTM v12.1 Portfilter Regelbeschreibung-en.png

    After editing or adding a rule, the rulebook must be updated.
    Only after that will the rules be applied!
    / Add Rule Update Rules



    Network objects

    Network objects include

    • a name
    • an address (IP or network)
    • and a zone.

    Network objects are mainly used to create port filter rules, but they are also used in the HTTP proxy.


    Create network objects

    → Firewall →PortfilterTab Network Objects Button Add Object

    caption: value: Description:
    Name Hostname Freely selectable name for the network object. OK - not really free: Even if it should be technically possible, refrain from using cryptic special characters such as curly brackets, backslashes and similar. At the latest in an AD environment, such things may lead to problems. UTM v12.1 Netzwerkobjekt Host-en.png
    Create network objects
    Type The type determines how the affiliation to this network object is determined.
    Host A single host with an IP address e.g. 192.0.2.192/32 → 192.0.2.192/--- 
    Network (address) A complete network, e.g. 192.0.2.0/24
    A 24 network is entered as default. However, this can be changed as desired.
    Network (address with custom mask) New ab v12 Network with any subnet mask. This is useful when the prefix may change. (Example: 192.0.2.0/0.255.255.0 oder 2001:DB8::1234/::FFFF:FFFF) → 192.0.2.0
    Network(interface) A complete network behind an interface e.g. eth0
  • Attention: With HideNat, only the first IP lying on this interface is used.When using with HideNat, try to use a network address.
  • VPN-Host A single VPN host with an IP address, e.g. 192.0.2.192/32 → 192.0.2.192/--- 
  • Only zones that have a flag Policy_IPSEC or PPP_VPN in the zone management (→ Network →Zone Settings Button w ) can be selected as zones for these network objects.
  • VPN network A complete VPN network, e.g. 192.0.2.0/24
    A 24 network is entered as default. However, this can be changed as desired.
    Static interface A configured IP address of an interface can be selected from a drop-down menu, e.g. 192.0.2.1/24
    Dynamic interface A dynamic assignment of the address of the interface based on the assigned zone. E.G.: 0.0.0.0/. oder eth0
    Hostname New ab v12 A host name, e.g.: my.host.local
    Address: 192.0.2.192 Depending on the type selected. See above.
    Zone Zone Zone in which the network object is located. By linking an object in the set of rules with the interface via the zone, it is achieved that a port filter rule only takes effect if not only the source, destination and service match the rule, but the connection is also made via the correct interfaces. This prevents all attacks that involve IP spoofing. The assignment of an object to an interface is done by binding the zone to the interface on the one hand and the assignment of the network object to a zone on the other.
  • Depending on the selected network type, a zone is already suggested or a restriction of the zone selection is made.
  • Groups »internal-networks Network objects can be grouped together to assign port filter rules to multiple objects.
    New 12 Network objects can also belong to several groups.
    {Note
    Save Saves the network object, but leaves the dialogue open to be able to create further objects.
    Save and close Saves the network object and closes the dialogue




    UTM v12.1 Portfilter Dienste-en.png

    Services

    Services define the protocol used and, if applicable, the port or port range of the data packets to be filtered. Many services are already preconfigured such as http, https, ftp, ssh, etc.

    Add / edit service

    If a service does not exist, it can be created with Add object.
    Depending on the protocol used, further settings can be made:

    • Ports (TCP and UDP)
    • Packet types (ICMP)
    • Protocol type (gre)
    The name of the service and the protocol must be specified in each case.
    The name of the service and the protocol must be specified in each case.
    With the tcp and udp protocols, sharing can be restricted to a single destination port or port ranges. Source ports can be any (None), a single port or a port range.
    With the tcp and udp protocols, sharing can be restricted to a single destination port or port ranges. Source ports can be any (None), a single port or a port range.
    If an existing service is to run on a different port, the service can be edited and the port changed.
    If an existing service is to run on a different port, the service can be edited and the port changed.










    Service groups

    Services can be grouped together in service groups. Here, too, there are already predefined groups that can be added to and changed. Detailed display by clicking on the folder symbol .
    Example: The group default-internet contains, for example, the services:

    Icon Name Protocol
    Udp.svg domain-udp udp Port 53
    Tcp.svg ftp tcp (ftp) Port 21
    Tcp.svg http tcp Port 80
    Tcp.svg https tcp Port 443
    Icmp.svg icmp-echo-req icmp Pakettyp 8
    Add/remove service from a service group
    • Wird auf der linken Seite eine Dienstgruppe markiert, kann ein Dienst mit der Plus-Schaltfläche der Dienstgruppe hinzugefügt werden.
    • Wird eine Dienstgruppe durch Klick auf das Ordnersymbol geöffnet, kann ein Dienst mit Klick auf die Minus-Schaltfläche entfernt werden.




    Time profiles

    Time profiles

    Time profiles are used to activate port filter rules only at specified times. In the example shown, the profile takes effect between 3:00 a.m. and 3:59:59 p.m. daily and from 7:00 a.m. to 5:59:59 p.m. on weekdays.

    Create time profiles

    • Create a time profile with the Add time profile button.
    • Select times
      • with the Ctrl key and mouse click for a single field or
      • with the Shift (Shift) key and mouse click for a time range.
    • Apply the time settings with the Save button.

    Use time profiles

    Time profiles are stored in the port filter rules around section ╭╴Extras╶╮.