Firewall
From UntangleWiki
Contents |
About Firewall
Firewall provides traditional firewall functionality, blocking traffic based on rules. However, the Firewall can both monitor and block traffic. Rules are based on a combination of the following:
- Protocol
- Source
- Destination
For more information, go to Blocking or Passing Network Traffic by Protocol and Port.
About Port Scanning
Because of the way many port scanners work, a port scan of the Untangle Server's Firewall yields deceptive results, making many ports appear to be open when they aren't. This is the Attack Blocker doing its job. To protect the Untangle Virtual Machine, this feature is running even when Attack Blocker is turned off.
Once the scanning computer gets a bad reputation, Attack Blocker starts requiring the scanner to ack the first syn before letting it connect to prevent syn floods. The effect makes ports appear open that are not.
To see the real open port list, turn the scan speed down to very slow.
Protecting Your Network by Securing Ports
Computers and routers use numbered connections—ports, to differentiate one type of network traffic from another. For data to pass to or from the Internet, there must be an open port for that traffic on your Untangle Server.
For usability, the Untangle Server's Firewall ships with all ports open. However, unlike other firewalls, the Untangle Server provides robust Software Products to protect your network when ports are open. Moreover, when the Untangle Server is your router, it is usually performing NAT, and NAT protects you from most threats. When the Untangle Server is a bridge, the Untangle Server is already behind a firewall, and a firewall protects you from most threats.
To protect your network choose one of two approaches:
Approach How Start with all ports open, then secure ports.
- Ensure that all ports are open. Untangle Server opens all ports by default. Go to Opening All Ports on Untangle Server.
- Protect the ports that are open:
- If the protocol communicates on multiple ports, install Untangle's Protocol Control, and block all FTP traffic by selecting one check box.
- If the traffic only resides on one port, block that port. Go to Blocking or Passing Network Traffic by Protocol and Port.
Start with all ports closed, then open ports.
- Close all ports. Go to Closing All Ports on Untangle Server.
- Open the ports that your company needs to use. Common ports include 80, 25, 21, and 110. Go to Blocking or Passing Network Traffic by Protocol and Port.
Opening All Ports on Untangle Server
As outlined in Protecting Your Network by Securing Ports, you might want to protect your network by opening all ports, then closing specific ports that your company does not use. For usability, the Untangle Server's Firewall has all ports open by default.
To open all ports:
- From Firewall, click the Show Settings button.
- Click the Rules tab.
- Scroll down to the Default Action area, and click the Pass radio button.
- Click the Save button.
Next Step: To close specific ports, go to Blocking or Passing Network Traffic by Protocol and Port.
Closing All Ports on Untangle Server
As outlined in Protecting Your Network by Securing Ports, you might want to protect your network by closing all ports, then opening specific ports that your company uses.
To close all ports:
- From Firewall, click the Show Settings button.
- Click the Rules tab.
- Scroll down to the Default Action area, then click the Block radio button.
- Click the Save button.
Next Step: To open specific ports, go to Blocking or Passing Network Traffic by Protocol and Port.
Blocking or Passing Network Traffic by Protocol and Port
Firewall matches the connection to each rule based on the rule's criteria, which consists of the protocol (traffic type), as well as source and destination interfaces, and source and destination addresses and ports. See the table below for detail values.
To block or pass network traffic:
Before You Begin:
- Open or close all ports: The Untangle Server adheres to the rules in the Rules table first. If the rule that you define in this procedure does not match a connection, the default action is taken as specified in the Default Action area.
- Identify the port that you want to open or close. For a list of TCP and UPD port numbers, go to Wikipedia's List of TCP and UDP Port Numbers, or refer to the /etc/services file on any *nix system.
- From Firewall, click the Show Settings button.
- Click the Rule tab. The Rule table is an ordered list of rules. Firewall evaluates its rules in the order that they are listed in the table.
- Do one of the following:
- Choose to modify one of the default rules.
- (Recommended) Click the add (+) button to create a new rule.
- In the Rules table and for the rule that you want to modify, select or clear the Enable check box.
- Click the Edit button for the rule, then, in the Action drop-down list, select either block or pass.
- (Optional) If you want to log this type of traffic in the Event Logs or Untangle Reports, select the Log check box.
- Specify the criteria:
- (Optional) Change the order in which Firewall evaluates its rules by dragging and dropping rules to reorder them. Rules are evaluated in the order that they appear in the table.
- (Optional) If you know what the significance of the Category property is, please update the wiki here. ;)
Traffic Type The traffic type criteria selects the protocol to be matched. Valid values are TCP, UDP, both TCP & UDP, or any. Source Interface The client's interface. The client is the host that initiates the request. Your choices are any (all), External, DMZ, VPN, Internal, Less Trusted or More Trusted Interfaces. If one of your interfaces doesn't appear in the list, go to Adding Network Cards or Testing Internet Connection.
Destination Interface The server's interface. The server is the host that services the request. Your choices are any (all), External, DMZ, VPN, Internal, Less Trusted or More Trusted Interfaces. If one of your interfaces doesn't appear in the list, go to Adding Network Cards or Testing Internet Connection.
Source Address The IP address of the host which initiated the connection. Addresses are specified in IP Matcher format, which can be simple addresses, address ranges (address-address), or subnets with CIDR (address/subnet) notation. Destination Address The IP address of the host which received the connect request. Addresses are specified in IP Matcher format, which can be simple addresses, address ranges (address-address), or subnets with CIDR (address/subnet) notation. Source Port The port of the connection source. Valid values are in Port Matcher format. Destination Port The port of the connection destination. Valid values are in Port Matcher format.
Example: Blocking FTP Traffic on Port 21
The following example shows an Untangle Server that has all ports open, but blocks FTP traffic for inbound traffic on port 21. One might create such a rule to prevent employees from downloading files from the Internet.
Note: Although you can use the Firewall to achieve your goal, consider using the Protocol Control. Protocol Control does not require that you know the ports on which applications communicate. Moreover, you don't need to create a rule. You need only select one check box to achieve your goal. Of course, for those that are used to a traditional firewall, Untangle's Firewall offers the typical features, including port blocking.
About Firewall Event Logs
Use the following terms and definitions to understand Firewall Event Log:
timestamp The time the event took place. action The action that was taken on the traffic. Valid values are block and pass. client The client IP address of the traffic. reason for action The rule that was applied to the traffic. server The intended server IP address of the traffic.
