Firewall configuration, also known as IP filtering, refers to the selective blocking of the passage of IP packets between global and local networks. The filtering is based on rules that describe the characteristics of the packet. For example, the contents of the IP header, the input/output interface, or the protocol.This feature is used mainly in firewall applications to filter the packets that could potentially harm the network system or generate unnecessary traffic in the network.You can use the Firewall Configuration form to enable firewall on ACS. You can define rules to allow or disallow packets, and configure filtering of packets that are sent and received through ACS.Each entry in the list on the Firewall Configuration form represents a chain with a set of rules.The list by default has three built-in chains, as shown in the previous figure. The chains accept all INPUT, FORWARD, and OUTPUT packets. You can use the “Edit,” “Delete,” “Add,” and “Edit Rules” buttons on the form to do the following to configure packet filtering:Selecting one of the default chains and pressing the “Edit” button, the “Edit Chain” dialog box shown in the following figure appears.Note: User-defined chains cannot be edited. If a user-defined chain is selected for editing, the message shown in the following figure appears.If one of the user-defined chains is selected and the “Delete” button is pressed the chain is deleted.Note: Default chains cannot be deleted. If one of the default chains is selected and the “Delete” button is pressed the message shown in the following figure appears.If the “Add” button is pressed under, the “Add Chain” dialog box shown in the following figure appears.Adding a chain only creates a named entry for the chain. Rules must be configured for the chain after it is added to the list of chains.If the “Edit Rules” button is pressed, a form appears with a list of headings like the one shown in the following figure. The example shows the OUTPUT chain selected for editing.Firewall Configuration “Edit Rules for chain_name” Buttons
• Selecting a rule and pressing the “Up” and “Down” buttons moves the rule up and down the list.The “Add Rule” and “Edit Rule” dialog boxes have the fields and options shown in the following figure.If the “Inverted” checkbox is enabled for the corresponding option, the target action is performed on packets that do not match any of the criteria specified in that line.For example, you select “DROP” as the target action from the “Target” drop-down list, check “Inverted” on the line with the “Source IP”, and do not specify any other criteria in the rule, any packets arriving from any other source IP address than the one specified are dropped.The “Target” pull-down menu shows the action to be performed on an IP packet that matches all the criteria specified in a rule. The kernel can be configured to ACCEPT, DROP, RETURN, LOG or REJECT the packet by sending a message, translating the source or the destination IP address, or sending the packet to another user-defined chain. The default target pull-down menu is shown in the following figure.If you add a value in the “Source IP” field, incoming packets are filtered for the specified IP address, and if you add a value in the “Destination IP” field, outgoing packets are filtered for the specified IP address. A value in the “Mask” field, means incoming or outgoing packets are filtered for IP addresses from the network in the specified subnet.Firewall Configuration “Add Rule” and “Edit Rule” Source and Destination IP and Mask FieldsYou can select a protocol for filtering. The “Protocol” pull-down menu is shown in the following figure.The additional fields that appear for each protocol are explained in the following sections.If Numeric is selected as the protocol when specifying a rule, a text field appears to the right of the menu for the desired number, as shown in the following figure.Firewall Configuration “Add Rule” and “Edit Rule” Numeric Protocol FieldsIf TCP is selected as the protocol when specifying a rule, the additional fields shown in the following figure appear on the bottom of the form.Firewall Configuration “Add Rule” and “Edit Rule” TCP Protocol Fields and Menu Options
A port number for filtering in the “Source Port” or “Destination Port” field. A range of IP address can be specified by adding a second port number in the “to” field. TCP packets are filtered for for the range of specified IP addresses. The TCP flags cause packets to be filtered for the specified flag and the selected condition. The flags are: “SYN” (synchronize), “ACK” (acknowledge), “FIN” (finish), “RST” (reset), “URG ” (urgent) or “PSH” (push), and the conditions are either “Any,” “Set,” or “Unset.” By checking this box, The TCP options are "Inverted". "Inverting" an item negates the selected rules. Rules will apply to everything except the selected options.If UDP is selected as a protocol when specifying a rule, the additional fields shown in the following figure appear at the bottom of the form.Firewall Configuration “Add Rule” and “Edit Rule” UDP Protocol Fields
A port number for filtering in the “Source Port” or “Destination Port” field. A range of IP address can be specified by adding a second port number in the “to” field. TCP packets are filtered for for the range of specified IP addresses. By checking this box, The UDP options are "Inverted". "Inverting" an item negates the selected rules. Rules will apply to everything except the selected options.If ICMP is selected as a protocol, the “ICMP Type” pull-down menu appears in the “ICMP Options Section” at the bottom of the Firewall Configuration form. The following figure shows the options.Firewall Configuration “Add Rule” and “Edit Rule” ICMP Type Menu OptionsIf an interface (such as eth0 or eth1) is entered in the “Input Interface” field, incoming packets are filtered for the specified interface. If an interface is entered in the “Output Interface” field, outgoing packets are filtered for the specified interface. The input and output interface fields are shown in the following figure along with the options on the “Fragments” pull-down menu.Firewall Configuration Input and Output Interface Fields and Fragments Menu OptionsExpert > Firewall Configuration Input and Output Interface, and Fragments Fields Definitions.
The input interface (ethN) for the packet The output interface (ethN) for the packet "Inverting" an item negates the selected rules. Rules will apply to everything except the selected options. If you select “LOG” from the “Target” field, the fields and menus shown in the following figure appear in the “LOG Options Section” at the bottom of the form.Firewall Configuration “Add Rule” and “Edit Rule” LOG Target Fields
Firewall Configuration “Add Rule” and “Edit Rule” REJECT Target Menu OptionsAny “Reject with” option causes the input packet to be dropped and a reply packet of the specified type to be sent.
“Reject with” means that the filter will drop the input packet and send back a reply packet according to any of the reject types listed below. icmp-net-unreachable icmp-host-unreachable icmp-port-unreachable icmp-proto-unreachable icmp-host-prohibited
2. Note: User-defined chains cannot be edited. If you want to rename a chain you added, delete it and create a new one.
2. Select the chain to which you want to add a rule from Chain list, and then click the “Edit Rules” button.
5.
2.
5.