Chapter 4. Configuring the Firewall

4.1. General Configuration

To access the firewall configuration section in the Guardian Digital WebTool place your cursor over "System" and pull down to "Firewall Configuration" and click. Now place the cursor over "Module" in the title bar and there will be five categories to choose from. To choose a category place the cursor over the category and click.

4.1.1. Firewall Interfaces

This is where the interfaces and options are defined. There is a section for each interface on the firewall. Here we define external interface eth0 as untrusted by using the pull down menu and selecting "Untrusted Interface (ext)". Do the same for the internal eth1 interface and select "Trusted Interface (int)". It's up to you whether you would like to apply the blacklist and TCP flag options to the internal interface. For the example they are not applied as hosts on this interface are considered trusted. The terms 'trusted' and 'untrusted' are self explanatory. This definition tells the software which side of the firewall is to be protected.

Since we are going to create a blacklisted machine that resides on the external interface somewhere we want to enable blacklisting on this interface. Check the blacklisting check box to do this.

It is also a good idea to block packets with invalid TCP flags coming in from the outside so we will check this check box as well.

Once you have made your selections click on "Save Configuration" at the bottom of the page. This only saves the configuration and does not alter the current state of the firewall. You need to restart the firewall to actually put a new configuration into place. This is done in the "Service Configuration" section of the Guardian Digital WebTool and will be discussed later on. If this is the initial firewall configuration you should ensure that the firewall is off (See Section 4.6 below and ensure the firewall is disabled).

Figure 4-1. Firewall Interfaces Display

4.1.2. Default Policy

The default policy defines the default action that will be implemented by the firewall. It is the starting point upon which firewall rules (which will be created later) will build on. The two policy choices are ACCEPT or REJECT. Using ACCEPT means that by default you accept all packets sent by the 'Source Zone' and destined for the 'Destination Zone'. REJECT means that by default you reject all packets sent by the 'Source Zone' and destined for the 'Destination Zone'. For instance, in this example all of the default policies for all source/destination combinations are REJECT and is the safest choice. By using REJECT you deny all packets and later you define ACCEPT rules for the particular type of packets/services that you want to pass. This is much easier than using an ACCEPT default policy and then defining REJECT rules for every type of packet you don't want to allow to pass through the firewall.

Figure 4-2. Default Policy

4.1.3. Masquerading

Masquerading is an action that hides the internal network from the external world. It allows the internal network to be in the private address space. One of the advantages of this is that it economizes the amount of IP addresses that are needed for the presence of an organization on the Internet. You can define thousands of internal IP addresses while only using a few public IP addresses. There are different reasons for using or not using masquerading (also known as NAT - Network Address Translation). In this example masquerading is turned on.

When this is deployed any outbound packets from the internal network and passing through the firewall will have the internal source IP address replaced with the firewall's external address. For example DNS request packets submitted from the internal DNS server (10.0.99.12) will have its source translated from 10.0.99.12 to 192.168.1.81 before leaving the external firewall interface. Now the packet has a source IP address that is in the public address space and can be routed through the Internet appropriately. The response packets from the Internet will be addressed to 192.168.1.81, the external address of the firewall. Because the firewall is masquerading the internal network it keeps a table of the outgoing packets and when it receives a response from the Internet to an internal request it will be able to restore the proper internal IP address for the destination and send it to the original internal requesting machine.

This is easily configured by enabling masquerading for the source interface of eth1 (10.0.99.1 - the internal interface) and destination eth0 (192.168.1.81 - the external interface).

Figure 4-3. Masquerading