![]() |
Firewall configuration, also known as IP filtering, refers to the selective blocking of the passage of IP packets between global and local networks. The filtering is based on rules that describe the characteristics of the packet. For example, the contents of the IP header, the input/output interface or the protocol.This feature is used mainly in firewall applications to filter the packets that could potentially harm the network system or generate unnecessary traffic in the network.You can use the Firewall Configuration form to enable a firewall on the console server. You can define rules to allow or disallow packets and configure filtering of packets that are sent and received through console server.By default the list has three built-in chains, as shown in the previous figure. The chains accept all INPUT, FORWARD and OUTPUT packets. You can use the Edit, Delete, Add and Edit Rules buttons on the form to perform the following to configure packet filtering:Edit buttonSelecting one of the default chains and pressing the Edit button, the Edit Chain dialog box shown in the following figure appears.NOTE: User-defined chains cannot be edited. If a user-defined chain is selected for editing, an error message is displayed. If this message appears, click OK to continue.Delete buttonIf one of the user-defined chains is selected and the Delete button is pressed the chain is deleted.NOTE: Default chains cannot be deleted. If one of the default chains is selected and the Delete button is pressed, an error message is displayed. If this message appears, click OK to continue.Add buttonIf the Add button is pressed under, the Add Chain dialog box shown in the following figure appears.Adding a chain only creates a named entry for the chain. Rules must be configured for the chain after it is added to the list of chains.Edit Rules buttonIf the Edit Rules button is pressed, a form appears with a list of headings like the one shown in the following figure. The example shows the OUTPUT chain selected for editing.Firewall Configuration Edit Rules for chain_name Buttons
• Pressing the Add button opens the Add Rule dialog box.
• Selecting a Rule and pressing the Edit button opens the Edit Rule dialog box.
• If the Inverted checkbox is enabled for the corresponding option, the target action is performed on packets that do not match any of the criteria specified in that line.For example, you select DROP as the target action from the Target pull-down list, check Inverted on the line with the Source IP and do not specify any other criteria in the rule, any packets arriving from any other source IP address than the one specified are dropped.The Target pull-down menu shows the action to be performed on an IP packet that matches all the criteria specified in a rule. The kernel can be configured to ACCEPT, DROP, RETURN, LOG or REJECT the packet by sending a message, translating the source or the destination IP address or sending the packet to another user-defined chain.If you add a value in the Source IP field, incoming packets are filtered for the specified IP address and if you add a value in the Destination IP field, outgoing packets are filtered for the specified IP address. A value in the Mask field means incoming or outgoing packets are filtered for IP addresses from the network in the specified subnet.You can select a protocol for filtering. Fields that appear for each protocol are explained in the following sections.If Numeric is selected as the protocol when specifying a rule, a text field appears to the right of the menu for the desired number.If TCP is selected as the protocol when specifying a rule, the additional fields shown in the following figure appear on the bottom of the form.Firewall Configuration TCP Protocol Fields and Menu Options
A port number for filtering in the Source Port or Destination Port field. A range of IP address can be specified by adding a second port number in the to field. TCP packets are filtered for for the range of specified IP addresses. The TCP flags cause packets to be filtered for the specified flag and the selected condition. The flags are: SYN (synchronize), ACK (acknowledge), FIN (finish), RST (reset), URG (urgent) or PSH (push) and the conditions are either Any, Set or Unset. By checking this box, the TCP options are Inverted. Inverting an item negates the selected rules. Rules will apply to everything except the selected options.If UDP is selected as a protocol when specifying a rule, the additional fields shown in the following figure appear at the bottom of the form.
A port number for filtering in the Source Port or Destination Port field. A range of IP address can be specified by adding a second port number in the to field. TCP packets are filtered for for the range of specified IP addresses. By checking this box, The UDP options are Inverted. Inverting an item negates the selected rules. Rules will apply to everything except the selected options.If ICMP is selected as a protocol, the ICMP Type pull-down menu is displayed in the ICMP Options Section at the bottom of the Firewall Configuration form. Select the ICMP type needed from the list.If an interface (such as eth0 or eth1) is entered in the Input Interface field, incoming packets are filtered for the specified interface. If an interface is entered in the Output Interface field, outgoing packets are filtered for the specified interface. The input and output interface fields are shown in the following figure along with the options on the Fragments pull-down menu.
Inverting an item negates the selected rules. Rules will apply to everything except the selected options. LOG targetIf you select LOG from the Target field, the fields and menus shown in the following figure appear in the LOG Options Section at the bottom of the form.
If REJECT is selected from the Target pull-down menu, the following pull-down menu appears.Any Reject with option causes the input packet to be dropped and a reply packet of the specified type to be sent.
Reject with means that the filter will drop the input packet and send back a reply packet according to any of the reject types listed below.
1. Go to Network - Firewall Configuration.
2. Click Add.The Add Chain dialog box appears.
4. Click OK. The name of the new chain appears in the list.NOTE: User-defined chains cannot be edited. If you wish to rename a chain you added, delete it and create a new one.
1. Go to Network - Firewall Configuration.
4. Click OK.
5. Click apply changes.
2.
3. Click the Add Rule button. The Add Rule dialog box appears.
4.
5. Click OK.
6. Click apply changes.
2. Select the chain that you wish to edit from the list and click the Edit Rules button. The Edit Rules form appears.
3. Select the rule to be edited from the Rules list and then click the Edit button. The Edit Rule dialog box appears.
4.
5. Click OK.
6. Click apply changes.