Configuring the firewall and vpn, Policy based virtual private networking – RuggedCom RuggedRouter RX1100 User Manual

14. Configuring The Firewall

Revision 1.14.3

125

RX1000/RX1100™

Action

The action as described in the previous table.

Source-Zone

The zone the connection originated from.

Destination-Zone

The zone the connection is destined for.

Protocol

The tcp or udp protocol type.

Destination-Port

The tcp/udp port the connection is destined for.

Source-Port

The tcp/udp port the connection originated from.

Original-Destination-IP

The destination IP address in the connection request as it was received by the firewall.

Rate-Limit

A specification which allows the rate at which connections are made to be limited.

User-Group

A method of limiting outbound traffic from the firewall to a specific user, group of users and a
specific application.

Some examples will illustrate the power of the rules file:

Rule

Action

Source-Zone

Destination-Zone

Protocol Dest-Port

Source-
Port

Original-Destination-
IP

1

ACCEPT

net:204.18.45.0/24

fw

2

DNAT

net

loc:192.168.1.3

tcp

ssh, http

3

DNAT

net:204.18.45.0/24

loc:192.168.1.3

tcp

http

-

130.252.100.69

4

ACCEPT

fw

net

icmp

5

ACCEPT

net:204.18.45.0/24

fw

icmp

8

1.

This rule accepts traffic to the firewall itself from the 204.18.45.0/24 subnet. If the default policy
is to drop all requests from net to the firewall, this rule will only traffic from the authorized
subnet.

2.

This rule forwards all ssh and http connection requests from the Internet to local system
192.168.1.3.

3.

This rule forwards http traffic from 204.18.45.0/24 (which was originally directed to the firewall
at 130.252.100.69) to the host at 192.168.1.3 in the local zone. If the firewall supports another
public IP address (e.g. 130.252.100.70), a similar rule could map requests to another host.

4.

and 5) These rules allow the firewall to issue icmp requests to the Internet and to respond to
icmp echo requests from the authorized subnet.

Rules are defined in the file /etc/shorewall/rules and are modified from the Firewall Rules menu.

14.5. Configuring The Firewall And VPN

14.5.1. Policy Based Virtual Private Networking

Begin configuration by creating local, network and vpn zones. Identify the network interface that carries
the encrypted IPsec traffic and make this interface part of zone “ANY” in the interfaces menu as it will
be carrying both traffic for both zones.

Visit the Zone Hosts menu and, for the network interface that carries the encrypted IPsec traffic, create
a zone host with zone VPN, the correct subnet and the IPsec zone option checked. If you plan to have
VPN tunnels to multiple remote sites ensure that a zone host entry exists for each (or collapse them
into a single subnet). Create another zone host for the same interface with a network zone, using a