Network Menu & Forms > Network > Firewall Configuration

Firewall Configuration
Firewall configuration, also known as IP filtering, refers to the selective blocking of the passage of IP packets between global and local networks. The filtering is based on rules that describe the characteristics of the packet. For example, the contents of the IP header, the input/output interface, or the protocol.
This feature is used mainly in firewall applications to filter the packets that could potentially harm the network system or generate unnecessary traffic in the network.
Selecting Network > Firewall Configuration brings up the form shown in the following figure.
 Expert > Network > Firewall Configuration
You can use the Firewall Configuration form to enable firewall on ACS. You can define rules to allow or disallow packets, and configure filtering of packets that are sent and received through ACS.
Packet filtering relies on defined chains and rules. See Packet Filtering on ACS for details.
Each entry in the list on the Firewall Configuration form represents a chain with a set of rules.
The list by default has three built-in chains, as shown in the previous figure. The chains accept all INPUT, FORWARD, and OUTPUT packets. You can use the “Edit,” “Delete,” “Add,” and “Edit Rules” buttons on the form to do the following to configure packet filtering:
“Edit” Button
Selecting one of the default chains and pressing the “Edit” button, the “Edit Chain” dialog box shown in the following figure appears.
Expert > Firewall Configuration “Edit Chain” Dialog Box
Only the policy can be edited for a default chain. The options are “ACCEPT,” and “DROP.”
Note: User-defined chains cannot be edited. If a user-defined chain is selected for editing, the message shown in the following figure appears.
 
Firewall Configuration “User-defined Chain” Message
“Delete” Button
If one of the user-defined chains is selected and the “Delete” button is pressed the chain is deleted.
Note: Default chains cannot be deleted. If one of the default chains is selected and the “Delete” button is pressed the message shown in the following figure appears.
Firewall Configuration “Delete Default Chain” Message
“Add” Button
If the “Add” button is pressed under, the “Add Chain” dialog box shown in the following figure appears.
Expert > Firewall Configuration “Add Chain” Dialog Box
Adding a chain only creates a named entry for the chain. Rules must be configured for the chain after it is added to the list of chains.
“Edit Rules” Button
If the “Edit Rules” button is pressed, a form appears with a list of headings like the one shown in the following figure. The example shows the OUTPUT chain selected for editing.
Firewall Configuration “Edit Rules for chain_name” Form
The buttons shown in the following figure appear at the bottom of the form.
Firewall Configuration “Edit Rules for chain_name” Buttons
Options on the “Add Rule” and “Edit Rule” Dialog Boxes
The “Add Rule” and “Edit Rule” dialog boxes have the fields and options shown in the following figure.
Expert > Firewall Configuration “Add Rule” and “Edit Rule” Dialog Boxes
Inverted Checkboxes
If the “Inverted” checkbox is enabled for the corresponding option, the target action is performed on packets that do not match any of the criteria specified in that line.
For example, you select “DROP” as the target action from the “Target” drop-down list, check “Inverted” on the line with the “Source IP”, and do not specify any other criteria in the rule, any packets arriving from any other source IP address than the one specified are dropped.
Target Pull-down Menu Options
The “Target” pull-down menu shows the action to be performed on an IP packet that matches all the criteria specified in a rule. The kernel can be configured to ACCEPT, DROP, RETURN, LOG or REJECT the packet by sending a message, translating the source or the destination IP address, or sending the packet to another user-defined chain. The default target pull-down menu is shown in the following figure.
Firewall Configuration “Add Rule” and “Edit Rule” Target Menu Options
Source or Destination IP and Mask
If you add a value in the “Source IP” field, incoming packets are filtered for the specified IP address, and if you add a value in the “Destination IP” field, outgoing packets are filtered for the specified IP address. A value in the “Mask” field, means incoming or outgoing packets are filtered for IP addresses from the network in the specified subnet.
The source and destination IP and related fields are shown in the following figure.
Firewall Configuration “Add Rule” and “Edit Rule” Source and Destination IP and Mask Fields
Protocol
You can select a protocol for filtering. The “Protocol” pull-down menu is shown in the following figure.
Firewall Configuration “Add Rule” and “Edit Rule” Protocol Menu Options
The additional fields that appear for each protocol are explained in the following sections.
Numeric Protocol Fields
If Numeric is selected as the protocol when specifying a rule, a text field appears to the right of the menu for the desired number, as shown in the following figure.
Firewall Configuration “Add Rule” and “Edit Rule” Numeric Protocol Fields
TCP Protocol Fields
If TCP is selected as the protocol when specifying a rule, the additional fields shown in the following figure appear on the bottom of the form.
Firewall Configuration “Add Rule” and “Edit Rule” TCP Protocol Fields and Menu Options
The following table defines the fields and menu options in the “TCP Options Section.”
Expert > TCP Options Fields
Source Port
- OR -
Destination Port
-AND-
 

to
 
A port number for filtering in the “Source Port” or “Destination Port” field. A range of IP address can be specified by adding a second port number in the “to” field. TCP packets are filtered for for the range of specified IP addresses.
The TCP flags cause packets to be filtered for the specified flag and the selected condition. The flags are:  “SYN” (synchronize), “ACK” (acknowledge), “FIN” (finish), “RST” (reset), “URG ” (urgent) or “PSH” (push), and the conditions are either “Any,” “Set,” or “Unset.”
By checking this box, The TCP options are "Inverted". "Inverting" an item negates the selected rules. Rules will apply to everything except the selected options.
UDP Protocol Fields
If UDP is selected as a protocol when specifying a rule, the additional fields shown in the following figure appear at the bottom of the form.
Firewall Configuration “Add Rule” and “Edit Rule” UDP Protocol Fields
The following table defines the fields in the UDP Options Section.
Source Port
- OR -
Destination Port
-AND-
 

to
A port number for filtering in the “Source Port” or “Destination Port” field. A range of IP address can be specified by adding a second port number in the “to” field. TCP packets are filtered for for the range of specified IP addresses.
By checking this box, The UDP options are "Inverted". "Inverting" an item negates the selected rules. Rules will apply to everything except the selected options.
ICMP Protocol Fields
If ICMP is selected as a protocol, the “ICMP Type” pull-down menu appears in the “ICMP Options Section” at the bottom of the Firewall Configuration form. The following figure shows the options.
Firewall Configuration “Add Rule” and “Edit Rule” ICMP Type Menu Options
Input Interface, Output Interface, and Fragments
If an interface (such as eth0 or eth1) is entered in the “Input Interface” field, incoming packets are filtered for the specified interface. If an interface is entered in the “Output Interface” field, outgoing packets are filtered for the specified interface. The input and output interface fields are shown in the following figure along with the options on the “Fragments” pull-down menu.
Firewall Configuration Input and Output Interface Fields and Fragments Menu Options
The following table defines the fields in the above figure.
Expert > Firewall Configuration Input and Output Interface, and Fragments Fields Definitions.
 
The input interface (ethN) for the packet
The output interface (ethN) for the packet
LOG Target
If you select “LOG” from the “Target” field, the fields and menus shown in the following figure appear in the “LOG Options Section” at the bottom of the form.
Firewall Configuration “Add Rule” and “Edit Rule” LOG Target Fields
The following table defines the menu options and fields in the “LOG Options Section.”
Expert > Target LOG Options Selection Fields
REJECT Target
If REJECT is selected from the Target pull-down menu, the following pull-down menu appears
Firewall Configuration “Add Rule” and “Edit Rule” REJECT Target Menu Options
Any “Reject with” option causes the input packet to be dropped and a reply packet of the specified type to be sent.
“Reject with” means that the filter will drop the input packet and send back a reply packet according to any of the reject types listed below.
icmp-net-unreachable
icmp-host-unreachable
icmp-port-unreachable
icmp-proto-unreachable
icmp-host-prohibited
Note: The packets are matched (using tcp flags and appropriate reject type) with the REJECT target.
Firewall Configuration Procedures
The following sections describe the procedures for defining packet filtering:
To Add a Chain
1.
2.
The “Add Chain” dialog box appears.
3.
Note: Spaces are not allowed in the chain name.
The name of the new chain appears in the list.
4.
To Edit a Chain
Perform this procedure if you want to change the policy for a default chain.
Note: User-defined chains cannot be edited. If you want to rename a chain you added, delete it and create a new one.
1.
2.
If you select a user-defined chain, the dialog box shown in the following figure appears.
If you select one of the default chains, the “Edit Chain” dialog box appears.
3.
4.
5.
To Add a Rule
1.
2.
3.
The “Add Rule” dialog box appears.
4.
For definitions of the fields in this form see Firewall Configuration.
5.
6.
To Edit a Rule
1.
2.
The “Edit Rules” form appears.
3.
The “Edit Rule” dialog box appears.
4.
For definitions of the fields in this form see Firewall Configuration
5.
6.

Network Menu & Forms > Network > Firewall Configuration