Endian Firewall Reference Manual r. 2.2.0.2

Copyright (c) 2008 Endian srl, Italy.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

Chapter 5: The Firewall Menu

Select Firewall from the menu bar at the top of the screen.

This sections allows setting up the rules that define if and how IP traffic flows through your Endian Firewall.
Following is a list of links that appear in the submenu on the left side of the screen:

Each link will be explained individually in the following sections.

Port forwarding / NAT

Select Firewall from the menu bar at the top of the screen, then select Port forwarding / NAT from the submenu on the left side of the screen.

Port forwarding allows limited network access from the external RED zone (typically the internet) to hosts on an internal zone, such as the DMZ (ORANGE) or even the trusted LAN (GREEN). Forwarding to the GREEN zone is not recommended from a security point of view, however.

You can define which port on which external interface (incoming port) will be forwarded to a given host/port on the inside (destination). Typical use cases might be to forward port 80 on an external interface to a webserver in the DMZ or to forward port 1022 on an external interface to a SSH server on port 22 of a host in the DMZ. You need to give the following parameters:

Protocol - protocol: TCP, UDP, GRE (generic routing encapsulation - used by tunnels) or all
Incoming IP - the (external) interface
Port on incoming - which port (1 - 65535) to listen to on the external interface
Destination IP - the IP of the destination host the incoming traffic is forwarded to
Destination Port - the port (1-65535) of the destination host the incoming traffic is forwarded to
Remark - a remark for you to remember the purpose of the forward rule later
Enabled - check to enable rule (default)
SNAT incoming connections - specify whether incoming traffic should appear to be originating from the firewall IP instead of the actual IP
Enable log - log all packets that are forwarded by this rule

Click the Add button to confirm your rule. You can then disable/enable, edit or delete each rule from the list of rules by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom).

After making changes or additions to your rule set, do not forget to click the Apply button on the top of the list!

There's one more thing with port forwarding rules: once a rule is defined, you can limit who can access the forwarded port from the external RED zone. To do so, you need to click on the plus-icon ("Add external access") next to the rule: this allows limiting access to a given source (host or network address). You can do this repeatedly to add more sources. A use case for this would be to limit said SSH access to external port 1022 only to a trusted IP on the internet.

Outgoing traffic

Select Firewall from the menu bar at the top of the screen, then select Outgoing traffic from the submenu on the left side of the screen.

Endian Firewall comes with a preconfigured set of rules, that allow outgoing traffic (i.e. "internet access") from the GREEN zone with regard to the most common services (HTTP, HTTPS, FTP, SMTP, POP, IMAP, POP3s, IMAPs, DNS, ping). All other service ports are blocked by default.

Likewise, HTTP, HTTPS, DNS and ping is allowed from the BLUE zone (WLAN) and only DNS and ping is allowed from the ORANGE zone (DMZ).

Everything else is forbidden by default.

In this section you can disable/enable, edit or delete rules by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom). You can also add your own rules by clicking on the Add a new firewall rule link at the top. Please consider that the order of rules is important: the first matching rule decides whether a packet is allowed or denied, regardless of any matching rules that might follow. You can change the order of rules using the arrow down/up icons next to each rule.

A rule is defined by the following parameters:

Source - select a zone or interface, specify one or more network/host addresses or MAC addresses
Destination - select the entire RED zone, one or more uplinks or one or more network/host addresses
Service Port - the destination service: select a service name from the list or specify a protocol and one or more port numbers (1-65535)
Action - what should be done with the packet: accept it, deny it (drop it without feedback to the sender) or reject it (let the sender know the firewall dropped the packet)
Remark - a remark for you to remember the purpose of the firewall rule later
Position - at what position in the list should the rule be inserted
Enabled - check to enable rule (default)
Log all accepted packets - Log all accepted packets (besides denied/rejected packets): this is off by default as it will create large volumes of log data

After making changes to a rule, do not forget to click the Apply button on the top of the list!

The outgoing firewall can be disabled/enabled as a whole using the Enable Outgoing firewall toggle. When disabled, all outgoing traffic is allowed (not recommended).

Inter-Zone traffic

Select Firewall from the menu bar at the top of the screen, then select Inter-Zone traffic from the submenu on the left side of the screen.

This sections allows setting up rules that determine how traffic can flow between networks zones other than the RED zone.

Endian Firewall comes with a simple set of preconfigured rules: traffic is allowed from the GREEN zone to any other zone (ORANGE and BLUE) and traffic is allowed within each zone.

Everything else is forbidden by default.

Analogous to the outgoing traffic firewall you can disable/enable, edit or delete rules by clicking on the appropriate icon on the right side of the table. You can also add your own rules by clicking on the Add a new inter-zone firewall rule link at the top.
Please see the preceding section (Outgoing traffic) for details about handling firewall rules.

The inter-zone firewall can be disabled/enabled as a whole using the Enable Inter-Zone firewall toggle. When disabled, all traffic is allowed between all zones other than the RED zone (not recommended).

VPN traffic

Select Firewall from the menu bar at the top of the screen, then select VPN traffic from the submenu on the left side of the screen.

The VPN traffic firewall allows to add firewall rules applied to hosts that are connected via VPN.

The VPN traffic firewall is normally not active, which means traffic can flow freely between the VPN hosts and hosts in the GREEN zone and VPN hosts can access all other zones. Please note that VPN hosts are not subject to the outgoing traffic firewall or the Inter-Zone traffic firewall. If you need to limit access from or to VPN hosts you need to use the VPN traffic firewall.

The handling of the rules is identical to the outgoing traffic firewall.
Please see the preceding section (Outgoing traffic) for details about handling firewall rules.

System access

Select Firewall from the menu bar at the top of the screen, then select System access from the submenu on the left side of the screen.

In this section you can set up rules that govern the access to the Endian Firewall system itself.

There is a list of preconfigured rules that cannot be changed. This is to guarantee the proper working of the firewall, since these rules are automatically created according to the services the firewall provides. Click on the >> button labeled "Show rules of system services" to show these rules.

Click on the Add a new system access rule link to add your own custom rules here. The following parameters describe the rule:

Source address - specify one or more network/host addresses or MAC addresses
Source interface - specify a zone or interface
Service/Port - the destination service: select a service name from the list or specify a protocol and one or more port numbers (1-65535)
Action - what should be done with the packet: accept it, deny it (drop it without feedback to the sender) or reject it (let the sender know the firewall dropped the packet)
Remark - a remark for you to remember the purpose of the system access rule later
Position - at what position in the list should the rule be inserted
Enabled - check to enable rule (default)
Log all accepted packets - Log all accepted packets (besides denied/rejected packets): this is off by default as it will create large volumes of log data

Click the Add button to confirm your rule. You can then disable/enable, edit or delete each rule from the list of rules by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom).

After making changes or additions to your rule set, do not forget to click the Apply button on the top of the list!