4.3. Firewall Rules

In this section the firewall rules are created. There are two types of rules, ACCEPT and REJECT. In ACCEPT rules you define packet types that will be accepted by the firewall and REJECT rules define packet types to be reject. You can think of these rules as exceptions to the default policy. Since a REJECT default policy is being used the type of rules that will be needed are ACCEPT rules. The first step in creating firewall rules is to list the services that should be allowed with their sources and destinations. So let's take another look at what our example is to accomplish.

4.3.1. Incoming Rules

Here we are going to create the rules for incoming packets. In our example the only services that we are going to create actual rules for are the Guardian Digital WebTool and SSH. The other incoming services will be handled later on in Port Forwarding (See Section 4.4.

4.3.1.1. Guardian Digital Webtool - port 1023

The very first thing that you want to do is to make sure that you can connect to the firewall via the Guardian Digital WebTool. This is important because as you experiment with rule modifications you could easily lock yourself out of the firewall. If you at least have WebTool access then you can always turn the firewall off or fix the error and an re-enable access.

So let's create our first rule. Access the "Firewall Rules" category in the Guardian Digital WebTool. You will see a blank rule page with three sections.

Figure 4-5. Firewall Rules Page

To create a rule click on a "Create New Rule" button and you will see a pop-up window.

Figure 4-6. Edit Firewall Rule Pop-up

As you may recall, we defined all default policies as REJECT. So we need to create ACCEPT rules to let packets on a particular port to pass.

  • Choose the ACCEPT action.

  • The protocol that the Guardian Digital WebTool uses is TCP so choose this protocol. Most services use the TCP protocol. Some exceptions are DNS (which uses both TCP and UDP) and NTP which uses UDP.

  • We want pass all packets from the administrator's machine to the firewall. Check the "Host(s)" radio button and use the pull down menu for the source "Host(s)" and choose "ADMIN".

  • The source port selection needs to be "All Ports" as the Guardian Digital WebTool request can come from any port. (Make sure that you have selected the radio button next to the "Port(s)" pull down menu).

  • The destination is the firewall itself so once again select the "Host(s)" radio button and use the pull down menu to select "Local Machine".

  • For the destination port use the pull down menu and select "Guardian Digital WebTool (webtool)". The actual port number is 1023 but you don't need to be concerned with that as the Guardian Digital WebTool will use this port behind the scenes.

  • Now click on the "Create Rule" button. The pop-up will disappear and you will now see the rule that you have just created listed under the "ACCEPT" rules.

To allow the administrator's host to connect to any other machine on the internal network via the Guardian Digital WebTool repeat the above with the exception of choosing the "INTNET" in the destination host pull down menu. If the firewall were to be enabled at this point the only access allowed would be the Guardian Digital WebTool from the administrator's host to the firewall and to machines on the internal network.

Note

When defining a rule you are allowing the source to initiate a connection to an internal destination. The firewall automatically allows a response from the internal destination to pass back to the source therefore you do not have to also create a rule that allows the destination to respond back to the source. It is already done behind the scenes.

Figure 4-7. The Guardian Digital WebTool Rules

4.3.1.2. SSH

Now you know how to create an incoming rule. For our scenario we only want to allow incoming SSH access from the administrator's host to the internal network. This requires just one rule. Repeat the above procedure choosing the source host to be "ADMIN" and the destination hosts to be "INTNET". If you remember, we defined "INTNET" to be 10.0.99.0/24 - the internal network in the 'Hosts and Networks" section (Section 4.2).

4.3.2. Outgoing Rules

Here are the specifications to create the rules that will allow the internal network to access the Internet. Just follow the rule creating procedures as above and plug in the Source, Destination and Protocol values as described for each service. For all of the following rules select the default source "Port(s)" of "All Ports".

4.3.2.1. SSH

Function: Let any host on the internal network SSH access to the Internet.

Table 4-1. SSH Outgoing Rule

ParameterValue
SourceINTNET
DestinationEXTNET
ProtocolTCP

4.3.2.2. DNS

Function: Let only the name server submit DNS requests to the Internet.

Table 4-2. DNS Outgoing Rule

ParameterValue
SourceNS
DestinationEXTNET
ProtocolTCP and UDP

Note

This will require two rules, one for the TCP protocol and another one for UDP.

4.3.2.3. SMTP

Function: Let only the mail server send mail to the Internet.

Note

For SMTP there is no existing choice in the destination "Port(s)" field so use the "Specify" field and enter "25" for the port number. Make sure you select the "Specify" radio button before saving this rule.

Table 4-3. SMTP Outgoing Rule

ParameterValue
SourceMX
DestinationEXTNET
ProtocolTCP

4.3.2.4. FTP

Function: Let any internal host FTP to the Internet

Table 4-4. FTP Outgoing Rule

ParameterValue
SourceINTNET
DestinationEXTNET
ProtocolTCP

Note

This will require two rules, one for the TCP protocol and another one for UDP.

4.3.2.5. HTTP

Function: Let any internal host connect to Internet web servers.

Table 4-5. HTTP Outgoing Rule

ParameterValue
SourceINTNET
DestinationEXTNET
ProtocolTCP

4.3.2.6. HTTPS

Function: Let any internal host connect to Internet secure web servers.

Table 4-6. HTTPS Outgoing Rule

ParameterValue
SourceINTNET
DestinationEXTNET
ProtocolTCP

4.3.2.7. NTP

Function 1: Let any internal host connect to an Internet time server.

Table 4-7. NTP Outgoing Rule

ParameterValue
SourceINTNET
DestinationEXTNET
ProtocolUDP

Note

Note NTP uses the UDP protocol.

Figure 4-8. Firewall Rules display