Network Menu and Forms : Firewall Configuration

Firewall Configuration
Firewall configuration, also known as IP filtering, refers to the selective blocking of the passage of IP packets between global and local networks. The filtering is based on rules that describe the characteristics of the packet. For example, the contents of the IP header, the input/output interface or the protocol.
This feature is used mainly in firewall applications to filter the packets that could potentially harm the network system or generate unnecessary traffic in the network.
Selecting Network - Firewall Configuration displays the form shown in the following figure.
 Expert - Network - Firewall Configuration
You can use the Firewall Configuration form to enable a firewall on the console server. You can define rules to allow or disallow packets and configure filtering of packets that are sent and received through console server.
Packet filtering relies on defined chains and rules. See Packet Filtering for details.
Each entry in the list on the Firewall Configuration form represents a chain with a set of rules.
By default the list has three built-in chains, as shown in the previous figure. The chains accept all INPUT, FORWARD and OUTPUT packets. You can use the Edit, Delete, Add and Edit Rules buttons on the form to perform the following to configure packet filtering:
Edit button
Selecting one of the default chains and pressing the Edit button, the Edit Chain dialog box shown in the following figure appears.
Expert - Firewall Configuration Edit Chain Dialog Box
Only the policy can be edited for a default chain. The options are ACCEPTand DROP.
NOTE: User-defined chains cannot be edited. If a user-defined chain is selected for editing, an error message is displayed. If this message appears, click OK to continue.
Firewall Configuration User-defined Chain Message
Delete button
If one of the user-defined chains is selected and the Delete button is pressed the chain is deleted.
NOTE: Default chains cannot be deleted. If one of the default chains is selected and the Delete button is pressed, an error message is displayed. If this message appears, click OK to continue.
Add button
If the Add button is pressed under, the Add Chain dialog box shown in the following figure appears.
Expert - Firewall Configuration Add Chain Dialog Box
Adding a chain only creates a named entry for the chain. Rules must be configured for the chain after it is added to the list of chains.
Edit Rules button
If the Edit Rules button is pressed, a form appears with a list of headings like the one shown in the following figure. The example shows the OUTPUT chain selected for editing.
Firewall Configuration Edit Rules for chain_name Form
The buttons shown in the following figure appear at the bottom of the form.
Firewall Configuration Edit Rules for chain_name Buttons
Pressing the Add button opens the Add Rule dialog box.
Selecting a Rule and pressing the Edit button opens the Edit Rule dialog box.
Selecting a rule and pressing the Up or Down buttons moves the rule up and down the list.
Options on the Add Rule and Edit Rule dialog boxes
The Add Rule and Edit Rule dialog boxes have the fields and options shown in the following figure.
Expert - Firewall Configuration Add Rule and Edit Rule Dialog Boxes
Inverted checkboxes
If the Inverted checkbox is enabled for the corresponding option, the target action is performed on packets that do not match any of the criteria specified in that line.
For example, you select DROP as the target action from the Target pull-down list, check Inverted on the line with the Source IP and do not specify any other criteria in the rule, any packets arriving from any other source IP address than the one specified are dropped.
Target pull-down menu options
The Target pull-down menu shows the action to be performed on an IP packet that matches all the criteria specified in a rule. The kernel can be configured to ACCEPT, DROP, RETURN, LOG or REJECT the packet by sending a message, translating the source or the destination IP address or sending the packet to another user-defined chain.
Source or destination IP and mask
If you add a value in the Source IP field, incoming packets are filtered for the specified IP address and if you add a value in the Destination IP field, outgoing packets are filtered for the specified IP address. A value in the Mask field means incoming or outgoing packets are filtered for IP addresses from the network in the specified subnet.
Protocol
You can select a protocol for filtering. Fields that appear for each protocol are explained in the following sections.
Numeric protocol fields
If Numeric is selected as the protocol when specifying a rule, a text field appears to the right of the menu for the desired number.
TCP protocol fields
If TCP is selected as the protocol when specifying a rule, the additional fields shown in the following figure appear on the bottom of the form.
Firewall Configuration TCP Protocol Fields and Menu Options
The following table defines the fields and menu options in the TCP Options Section.
Source Port
- OR -
Destination Port
-AND-
A port number for filtering in the Source Port or Destination Port field. A range of IP address can be specified by adding a second port number in the to field. TCP packets are filtered for for the range of specified IP addresses.
The TCP flags cause packets to be filtered for the specified flag and the selected condition. The flags are:  SYN (synchronize), ACK (acknowledge), FIN (finish), RST (reset), URG (urgent) or PSH (push) and the conditions are either Any, Set or Unset.
By checking this box, the TCP options are Inverted. Inverting an item negates the selected rules. Rules will apply to everything except the selected options.
UDP protocol fields
If UDP is selected as a protocol when specifying a rule, the additional fields shown in the following figure appear at the bottom of the form.
Firewall Configuration Add Rule and Edit Rule UDP Protocol Fields
The following table defines the fields in the UDP Options Section.
Source Port
- OR -
Destination Port
-AND-
A port number for filtering in the Source Port or Destination Port field. A range of IP address can be specified by adding a second port number in the to field. TCP packets are filtered for for the range of specified IP addresses.
By checking this box, The UDP options are Inverted. Inverting an item negates the selected rules. Rules will apply to everything except the selected options.
ICMP protocol fields
If ICMP is selected as a protocol, the ICMP Type pull-down menu is displayed in the ICMP Options Section at the bottom of the Firewall Configuration form. Select the ICMP type needed from the list.
Input interface, output interface and fragments
If an interface (such as eth0 or eth1) is entered in the Input Interface field, incoming packets are filtered for the specified interface. If an interface is entered in the Output Interface field, outgoing packets are filtered for the specified interface. The input and output interface fields are shown in the following figure along with the options on the Fragments pull-down menu.
Input/Output Interface Fields and Fragments Menu Options
The following table defines the fields in the above figure.
LOG target
If you select LOG from the Target field, the fields and menus shown in the following figure appear in the LOG Options Section at the bottom of the form.
Firewall Configuration Add Rule and Edit Rule LOG Target Fields
The following table defines the menu options and fields in the LOG Options Section.
REJECT target
If REJECT is selected from the Target pull-down menu, the following pull-down menu appears.
Firewall Configuration Add Rule and Edit Rule REJECT Target Menu Options
Any Reject with option causes the input packet to be dropped and a reply packet of the specified type to be sent.
Reject with means that the filter will drop the input packet and send back a reply packet according to any of the reject types listed below.
NOTE: The packets are matched (using tcp flags and appropriate reject type) with the REJECT target.
Firewall configuration procedures
The following sections describe the procedures for defining packet filtering:
To add a chain:
1.
Go to Network - Firewall Configuration.
2.
Click Add.The Add Chain dialog box appears.
3.
4.
Click OK. The name of the new chain appears in the list.
NOTE: Spaces are not allowed in the chain name.
5.
To edit a chain:
Perform this procedure if you wish to change the policy for a default chain.
NOTE: User-defined chains cannot be edited. If you wish to rename a chain you added, delete it and create a new one.
1.
Go to Network - Firewall Configuration.
2.
NOTE: User-defined chains cannot be edited.
If you select one of the default chains, the Edit Chain dialog box appears.
Edit Chain Dialog Box
3.
4.
5.
Click apply changes.
6.
To add a rule:
1.
2.
3.
Click the Add Rule button. The Add Rule dialog box appears.
4.
5.
6.
Click apply changes.
To edit a rule:
1.
2.
Select the chain that you wish to edit from the list and click the Edit Rules button. The Edit Rules form appears.
3.
Select the rule to be edited from the Rules list and then click the Edit button. The Edit Rule dialog box appears.
4.
5.
6.
Click apply changes.