Chapter 5: the firewall menu, 1 common configuration items – NEXCOM IFA 1610 User Manual

Copyright © 2014 NEXCOM International Co., Ltd. All Rights Reserved.

IFA 3610/IFA 2610/IFA 1610 User Manual

Chapter 5: The Firewall Menu

47

Chapter 5: The Firewall Menu

This section allows to set up rules that specify if and how the network traffic flows through the appliance. The firewall
on the appliance is divided in different modules, each monitoring and allowing or blocking one specific type of traffic.
The modules available are the following:

▪ Port forwarding / NAT - port forwarding and abbr: NAT (Network Address Translation).

▪ Outgoing traffic - outgoing traffic, i.e., towards the RED interface

▪ Inter-Zone traffic - traffic between zones.

▪ VPN traffic - traffic generated by VPN users.

▪ System access - grant access to the appliance host itself.

▪ Firewall diagrams - pictures that show which traffic is intercepted by each type of firewall.

Within each of the sub-menus, in which all the corresponding existing rules are listed, any customised rules can be
added, for any type of service or every port/protocol. The various parts of which the firewall is composed refer to dif-
ferent types of traffic (e.g., OpenVPN governs the traffic from/to the VPN users, inter-zone traffic the one flowing from
zone to zone) and are designed to avoid any overlapping or even contrasting rules. In other words, there is no way to
write two rules in two different firewall modules whose combined effect causes an unwanted block or access of packets.

The choice to separate the networks controlled by the appliance allows also for an easier management of the firewall,
whose configuration may become very complex. Indeed, each of the modules can be considered as an independent
firewall, and their combined effect covers all possible packet flows through the appliance.

Additionally, for any of the modules listed above, one or more rule may exist, that can neither be disabled nor removed.
These are the so-called Rules of system services (or System rules) whose purpose is to allow the correct interoperability
of the services running on the appliance with the network infrastructure.

The rules that are defined here will be transformed into

iptables commands, the standard Linux firewall tool since the

2.4 kernel, and therefore organised into tables, chains, and rules. For a more in-depth description of the various elements
that compose a firewall rule, or even to learn how to fine-tune and to manage a complex firewall, it is suggested to read
either the iptables(8) manual page on any Linux box, or some of the countless online resources or tutorials available on
the Internet.

5.1 Common Configuration Items

When adding a rule, most of the values to configure in the various modules are of the same type (e.g., the source or
destination interfaces), since in the end they are all setup with

iptables. Therefore, in order to keep this section short

and readable, all the configuration items that are common to all modules of the firewall are grouped here and defined
only once. There will be some more explanation only in case of significant differences with the descriptions given here.

▪ Source or Incoming IP. Usually in the form of a drop-down menu, this setting is the type of the source or incoming

connection that should be matched. Depending on the type chosen, the selection of different connections from the
small box underneath the menu will be possible: Zone/VPN/Uplink is either the source zone, VPN client, or uplink to
which this rule should be applied, Network/IP/Range the IP address or range or the network addresses, OpenVPN User
and L2TP User the OpenVPN or 2TP users, respectively.

▪ Destination or Target. Also this setting comes in the form of a drop-down menu and allows the choice among three

types of destination that should be matched, which are the same as in the Source drop-down menu: A Zone/VPN/
Uplink, Network/IP, OpenVPN User or L2TP user, except for some small change (e.g., for some type of rules, the target
can not be an OpenVPN or L2TP user).

Service, Port, and Protocol. A service is usually defined as a combination of a port and a protocol. For example, the SSH
service runs by default on port 22 and uses the TCP protocol. These three options control the port and protocol to which
to apply the rule and consist of two drop-down menus, from which to choose either a pre-defined Service, that will
also set the protocol and the port range in the text area, or one Protocol and optionally a port or a port range. Available
protocols are: TCP and UDP - the most used, GRE - used by tunnels, ESP - used by IPsec, and ICMP - used by the

ping

and

traceroute commands.