![Untangle Networks [home]](http://www.untangle.com/templates/untangle_networks_template_950px/images/untangle_logo.gif){kind=logo}
Firewall
From UntangleWiki
 Firewall
|
|
About Firewall
Firewall provides traditional firewall functionality, blocking traffic based on rules. However, the Firewall can both monitor and block traffic. Rules are based on a combination of the following:
- Protocol
- Source
- Destination
For more information, go to Blocking or Passing Network Traffic by Protocol and Port.
Protecting Your Network by Securing Ports
Computers and routers use numbered connections—ports, to differentiate one type of network traffic from another. For data to pass to or from the Internet, there must be an open port for that traffic on your Untangle Server.
For usability, the Untangle Server's Firewall ships with all ports open. However, unlike other firewalls, the Untangle Server provides robust Software Products to protect your network when ports are open. Moreover, when the Untangle Server is your router, it is usually performing NAT, and NAT protects you from most threats. When the Untangle Server is a bridge, the Untangle Server is already behind a firewall, and a firewall protects you from most threats.
To protect your network choose one of two approaches:
Approach How Start with all ports open, then secure ports.
- Ensure that all ports are open. Untangle Server opens all ports by default. Go to Opening All Ports on Untangle Server.
- Protect the ports that are open:
- If the protocol communicates on multiple ports, install Untangle's Protocol Control, and block all FTP traffic by selecting one check box.
- If the traffic only resides on one port, block that port. Go to Blocking or Passing Network Traffic by Protocol and Port.
Start with all ports closed, then open ports.
- Close all ports. Go to Closing All Ports on Untangle Server.
- Open the ports that your company needs to use. Common ports include 80, 25, 21, and 110. Go to Blocking or Passing Network Traffic by Protocol and Port.
Opening All Ports on Untangle Server
As outlined in Protecting Your Network by Securing Ports, you might want to protect your network by opening all ports, then closing specific ports that your company does not use. For usability, the Untangle Server's Firewall has all ports open by default.
To open all ports:
- From Firewall, click the Show Settings button.
- Click the Rules tab.
- Scroll down to the Default Action area, and click the Pass radio button.
- Click the Save button.
Next Step: To close specific ports, go to Blocking or Passing Network Traffic by Protocol and Port.
Closing All Ports on Untangle Server
As outlined in Protecting Your Network by Securing Ports, you might want to protect your network by closing all ports, then opening specific ports that your company uses.
To close all ports:
- From Firewall, click the Show Settings button.
- Click the Rules tab.
- Scroll down to the Default Action area, then click the Block radio button.
- Click the Save button.
Next Step: To open specific ports, go to Blocking or Passing Network Traffic by Protocol and Port.
Blocking or Passing Network Traffic by Protocol and Port
Firewall matches the connection to each rule based on the rule's criteria, which consists of the protocol (traffic type), as well as source and destination interfaces, and source and destination addresses and ports. See the table below for detail values.
To block or pass network traffic:
Before You Begin:
- Open or close all ports: The Untangle Server adheres to the rules in the Rules table first. If the rule that you define in this procedure does not match a connection, the default action is taken as specified in the Default Action area.
- Identify the port that you want to open or close. For a list of TCP and UPD port numbers, go to Wikipedia's List of TCP and UDP Port Numbers, or refer to the /etc/services file on any *nix system.
- From Firewall, click the Show Settings button.
- Click the Rule tab. The Rule table is an ordered list of rules. Firewall evaluates its rules in the order that they are listed in the table.
- Do one of the following:
- Choose to modify one of the default rules.
- (Recommended) Click the add (+) button to create a new rule.
- In the Rules table and for the rule that you want to modify, select or clear the Enable check box.
- Click the Edit button for the rule, then, in the Action drop-down list, select either block or pass.
- (Optional) If you want to log this type of traffic in the Event Logs or Untangle Reports, select the Log check box.
- Specify the criteria:
- (Optional) Change the order in which Firewall evaluates its rules by dragging and dropping rules to reorder them. Rules are evaluated in the order that they appear in the table.
- (Optional) If you know what the significance of the Category property is, please update the wiki here. ;)
Traffic Type The traffic type criteria selects the protocol to be matched. Valid values are TCP, UDP, both TCP & UDP, or any. Source Interface The client's interface. The client is the host that initiates the request. Your choices are any (all), External, DMZ, VPN, Internal, Less Trusted or More Trusted Interfaces. If one of your interfaces doesn't appear in the list, go to Adding Network Cards or Testing Internet Connection.
Destination Interface The server's interface. The server is the host that services the request. Your choices are any (all), External, DMZ, VPN, Internal, Less Trusted or More Trusted Interfaces. If one of your interfaces doesn't appear in the list, go to Adding Network Cards or Testing Internet Connection.
Source Address The IP address of the host which initiated the connection. Addresses are specified in IP Matcher format, which can be simple addresses, address ranges (address-address), or subnets with CIDR (address/subnet) notation. Destination Address The IP address of the host which received the connect request. Addresses are specified in IP Matcher format, which can be simple addresses, address ranges (address-address), or subnets with CIDR (address/subnet) notation. Source Port The port of the connection source. Valid values are in Port Matcher format. Destination Port The port of the connection destination. Valid values are in Port Matcher format.
Example: Blocking FTP Traffic on Port 21
The following example shows an Untangle Server that has all ports open, but blocks FTP traffic for inbound traffic on port 21. One might create such a rule to prevent employees from downloading files from the Internet.
Note: Although you can use the Firewall to achieve your goal, consider using the Protocol Control. Protocol Control does not require that you know the ports on which applications communicate. Moreover, you don't need to create a rule. You need only select one check box to achieve your goal. Of course, for those that are used to a traditional firewall, Untangle's Firewall offers the typical features, including port blocking.
About Firewall Event Logs
Use the following terms and definitions to understand Firewall Event Log:
timestamp The time the event took place. action The action that was taken on the traffic. Valid values are block and pass. client The client IP address of the traffic. reason for action The rule that was applied to the traffic. server The intended server IP address of the traffic.
Firewall FAQs
Why doesn't the Untangle Server's Firewall have rules enabled by default?
- When the Untangle Server is your router, it is performing NAT. NAT protects you from most threats.
- When the Untangle Server is a bridge, the Untangle Server is already behind a firewall. A firewall protects you from most threats.
Can I have a firewall and still use NetMeeting?
Yes. However, on the Untangle Server, you need to pass specific protocols and open specific ports as outlined in Firewall. A Microsoft article, How to Establish NetMeeting Connections Through a Firewall, explains which protocols to pass and which ports to open.
How do I identify unsecure ports?
There are free programs on the Internet that identify unsecure ports. To learn about one, go to Protecting Your Network by Securing Ports.
We currently have a firewall, which lets us do port mapping. I don't see that feature in your Firewall. Will you be adding it, or is there an alternative?
Port mapping (redirection) is a feature of the Router.
I want to lock-down my network but for a few exceptions. What is the best way to do this?
You can set the default behavior to block, as discussed in Firewall. Then, create a few rules to pass.
How can I block outbound SMTP?
Often administrators would like to block all outbound port 25 except from the mail server. To do so first you must remove the outbound port 25 policy rule so that outbound port 25 traffic goes through the rack in question. Then you need to create a rule to block all port 25 traffic with Destination Interface External then you need to create a rule just above that passes outbound port 25 traffic where the client is your email server. Beware, this means that mail coming from your mail server now goes through the rack and may be scanned by Spam Blocker, Phish Blocker, etc. Alternatively, You can add a rule in firewall blocking all port 25 traffic and then add a policy manager rule sending all outbound port 25 traffic from the email server to ">No Rack."
Should I use pre-NAT or post-NAT addresses in firewall rules?
Firewall rules always match on the address which has more information. In other words if the entire internal network is being NATd from 192.168.*.* to 1.2.3.4, Firewall will match on the 192.168.*.* for traffic to and from this network. At the session layer this works out to be pre-NAT on source address and post-NAT on destination address.
