4 inter-zone traffic, Outgoing firewall settings, Current rules – NEXCOM IFA 1610 User Manual

Copyright © 2014 NEXCOM International Co., Ltd. All Rights Reserved.

IFA 3610/IFA 2610/IFA 1610 User Manual

Chapter 5: The Firewall Menu

52

Possible actions on each rule are to enable or disable it, to edit it or delete it. Additional rules can be added by clicking
on the Add a new firewall rule link at the top of the page. Please remember that the order of rules is important: the
first matching rule decides whether a packet is allowed or denied, regardless of how many matching rules follow. The
order of the rules can be changed by using the up and down arrow icons next to each rule.

The following settings differ from the default common options.

Source
It can be one or more Zone/Interfaces, Network/IP, or MAC addresses.

Destination
Can be the RED zone, one or more uplinks, or one or more network/host addresses accessible outside the RED interface.

Application
This search widget allows to select the applications that should be part of the rule. Applications are dividend into
categories (e.g., Database, filesharing, and so on).

Hint: Enter at least one letter to show all applications whose name starts with that letter.

Outgoing Firewall Settings

It is possible to disable or enable the whole outgoing firewall by clicking on the Enable Outgoing firewall switch. When
disabled, all outgoing traffic is allowed and no packet is filtered: This setting is however strongly discouraged and the
recommendation is to keep the outgoing firewall enabled.

Log accepted outgoing connections
Ticking this checkbox causes all the accepted connections to the RED interface to be logged.

Proxy and outgoing firewall.

Whenever the proxy is activated for a given service (e.g., HTTP, POP, SMTP, DNS), the firewall rules in the outgoing
firewall will take no effect, because of the nature of the proxy.

With the proxy activated, whenever a connection starts from a client to the Internet, it will either be intercepted by the
proxy on the appliance (in transparent mode) or go directly to the firewall, but never go through the firewall. The proxy
then starts a new connection to the real destination, gets the data and sends it to the client. Those connections to the
Internet always start from the appliance, which hides the clients internal IP address. Therefore, such connections never
go through the outgoing firewall, since in fact they are local connections.

5.4 Inter-Zone Traffic

This module permits to set up rules that determine how traffic can flow between the local network zones, excluding
therefore the RED zone (traffic through the RED zone can be filtered in Outgoing traffic and Port forwarding / NAT). To
activate the inter-zone firewall, click on the grey switch . Two boxes are present on this page, one that shows
the current rules and allow to add new ones, and one that allows to set the inter-zone firewall options.

Current Rules

The appliance comes with a simple set of pre-configured rules: traffic is allowed from the GREEN zone to any other zone
(ORANGE and BLUE) and within each zone, with everything else forbidden by default.

Analogously to the outgoing traffic firewall, rules can be disabled/enabled, edited or deleted by clicking on the appropriate
icon on the right side of the table. New rules can be added by clicking on the Add a new inter-zone firewall rule link
at the top of the page. Only the common options can be configured.