|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NetMAX FIREWALL RULE HOW-TO GUIDE Description:
Solution:
Revision Date: 3/28/01 Requirements:
Let's start with the main NetMAX interface and some of it's features. We start from the Home page you see after logging in to the NetMAX web based interface. You should see something similar to the following screen shot. Note: depending on what version of the product you have, some features may or may not appear. Don't worry, as long as you have the features that we'll be talking about in this section, you will be fine.
We
have placed letters next to each menu choice in the diagram 1-1, to
make things easier to reference. You will not have these letters in
your interface. A) PERSONAL: This is where all the local user's information is displayed (home directory, file management, available shares). Remember, if you only have a FireWall product, this menu will have fewer items listed (as the FireWall products don't have any available shares). B) USERS: This are where all of your users' information is kept. This would be where you would go to create new users (FireWall products can only have one user, the administrative user). You can also change the user's home directory, what groups they belong to, permissions, enabling email, and other miscellaneous user settings. Again, FireWall products will have very limited options here. C) SERVICES: This is where, depending on your version, you would set up subsystems like WWW (Apache), FTP, Proxy Server (Squid), Traffic Monitor, VPN (isakmpd), eMail (Sendmail), etc. Again, FireWall products will have limited options on configuring these services, though most of them will still be running, please see our FAQ for information on how these services can be shutdown from the command line. D) REPORTS: This should be your first step when troubleshooting a problem. Reports will give you the ability to check system logs, daemon logs, current users, proxy cache, alerts etc. Basically, this is where to go to find out how your system is doing or what, if any, problems there are. E) NETWORK: Just as the name implies, this is where to go to configure your NetMAX's network settings. You can set up the DNS server/resolver, firewalls, hosts for your DNS server, and advanced networking such as proxy ARPing, bridging, traffic rerouting, IP NAT, etc. F) SHARING: This might not even be on your Home page, depending on which product you own. For those who have it, it is a place to set up shares, add volumes (new drives), mount removable media (CD-ROM, floppy drives), and share printers. If you have this link, you might not have others inside, e.g. WebServer products will have Home|Sharing, but no Printer Sharing option inside. G) SYSTEM: This for system changes only, i.e. Shutdown, Package Management (older versions have this under Home|Services), UPS support (again if available on your system). Back
to Top SECTION 2. FIREWALL CONFIGURATION - GETTING THERE This guide is intended for instruction of firewall configuration only. It assumes that your NetMAX has already been implemented, and the network functions are working properly. If your NetMAX is not set up correctly on the network, then you will need to do so before proceeding. You should ensure that you have the "Firewall Configuration" on all of your interfaces set to "None" to test network functionality. After you have verified that your NetMAX is properly configured, you can begin to design the "Independent Configuration" of your firewall rules. Configuring a firewall allows you to control the traffic to and from the NetMAX router. From the Home screen (diagram 1-1) click on the NETWORK option (Home|Network). The screen shot in diagram 1-2 is what you will see from Home|Network.
Firewall rules are set up per network interface card (NIC), i.e. the rules apply to that interface only. For example, that means if you block the telnet service port on your external NIC (connected to the external network, for most users this will be the Internet) then you will still be able to telnet to the NetMAX from your internal network through the internal NIC (connected to your internal network), since there are no rules blocking the service port on that interface. Keep this in mind when testing the firewall. If you scan the firewall from the internal network and all of your rules are on the external interface then nothing will show as blocked, which is the results you should expect. This is true even if you use your NetMAX's external IP address when scanning from the internal network, because your packet is still only going through the internal NIC (which has no rules). Click on the interface link on the right hand side of your NetMAX interface to continue. Back
to Top SECTION 3. FIREWALL CONFIGURATION - THE INTERFACE Once you are on the interface screen, it should look something like the following:
This screen is the Interface Menu (Home|Network|Interfaces). Notice that it lists all your interfaces, whether they are serial ports or NICs. Bold letters are shown for reference and will not be on your screen. If your serial port happens to be your connection out to the Internet e.g. High speed WAN, ISDN, external modem, etc. then you can also place rules on that interface. Let's go over the items we see listed on the Interface Menu: A) The Navigation Path tells you where you are in the interface, you can go back to Home by clicking on the home link (only the underlined links are available from this screen). You should never use the navigation buttons on your browser to navigate through your NetMAX, but rather, you should use the navigation buttons in the NetMAX Interface. The Navigation Path will always be available, no matter what screen you are on in the web based interface. You should be able to click on the arrows, as they act as the back button for the interface. B&C) These are both NICs, and the descriptions are really not important. If they appear on this page, then NetMAX has recognized them. Sometimes, the descriptions might say "unknown" instead of identifying the actual type of NIC installed. Do not worry, these come from he driver. You should still be able to use the NIC, as long as it appears in this page. Only FireWall, VPN and Professional products allow more than one NIC to be listed on this page. That does not mean that the system did not recognize them, just that it can't be configured through the NetMAX Interface on other NetMAX products. D) This is how a serial port will look. You might be placing your rules on this interface if you are using a High speed serial card (for ISDN for example) or external modem. E) This is the help option. By clicking on this, it will bring up help on items listed on this screen. So the help option will pull up different information for every screen that you are on. If you are new to the NetMAX it is a good idea to press this button at every new screen you see just to find out what everything on that screen does. To configure anything on these interfaces (including firewall rules) click on the pencil next to the interface that you want to configure. For our purposes click on the pencil for the interface eth0 (ref. as B). Once you have done this, you will get the interface configuration screen that follows: !!!! Remember we are assuming you have clicked the pencil on your EXTERNAL NIC !!!! A) TCP/IP Configuration (box) - Here is the basic information about the NIC, whether it is enabled, running NAT or not, DHCP client, fixed IP etc. For configuring this area, please refer to the context sensitive, online help section, our web site, and the manual. This guide is just for firewall rules, so we won't really discuss this section, though if this part is not set up properly, firewall rules are not going to work properly. In fact, you want to make sure that you don't have any rules when troubleshooting this configuration this section of the NetMAX! (Note that the values shown in the screen shot are just examples, you might have completely different values displayed.) B) Firewall Configuration (box) - This box is for the configuration of firewall rules. There are three (sometimes just two) options here:
*** NOTE If you don't have this checked, NO firewall rules will be applied to this interface *** C) CONFIGURATION (button) - Once you have chosen "Use Independent Configuration", you can go ahead and click on the configure button to begin configuring the firewall on this interface. Clicking on configure will bring you to another screen to set your firewall. After you have done that and stored it, you will be brought back to this screen. D) STORE (button) - Once you have configured the firewall and returned to this screen, you must press STORE after and make sure that "Use Independent Configuration" is checked (If you checked it before, it will be checked already) or the settings will not be stored! We will get to that step later, but you should always click on STORE when making changes. Otherwise, they will not be committed. To start creating a firewall configuration, click on "Use Independent Configuration" to enable it and then click on the CONFIGURE button (labeled C in the picture). This will take you to the screen where the firewall is actually configured (for the selected interface). Back
to Top of the Document SECTION 4. FIREWALL SET-UP AND COMMON TAB Now we are at the Firewall configuration screen:
Let's go over the items that appear on this screen: Again, we have inserted labels to help better indicate the items on the screen. There are three tabs on this screen, that each bring up a new screen when clicked on. A) COMMON - This is the first tab you will see when entering this screen. This is placed here to help you implement simple "Blocking" or Denying rules sets. By clicking on the "Enable" check box, it will generate firewall rules to accomplish the rule set description. By clicking on the "Log" check box, it will log the traffic of any IP packets that fit the rules generated. Logging is recommended only if you suspect unauthorized users are trying to access the NetMAX. We will go through what each rules does below. B) EXCEPTIONS - Clicking on this tab will show you another screen (figure included below). These rule sets are for "allowing" or accepting traffic through the firewall. By clicking on the "Enable" check box, it will generate firewall rules to accomplish the rule set description. By clicking on the "Log" check box, it will log the traffic of any IP packets that fit the rules generated. Logging is not usually enabled because since you are allowing this traffic, the log file generated might become very big very fast, potentially bogging down the NetMAX All pre-configured rules from the common and exceptions pages are written to the custom rules page. To see exactly what firewall rules are being generated, click on only one rule set and then click on the CUSTOM tab to view what it looks like. C) CUSTOM - This tab is where you would go to create your own firewall rules, in addition to, or instead of the template rule sets listed under the COMMON and EXCEPTIONS tab. We will go over how to create custom rules later in this guide. *** NOTE: This is also where all the rules are listed in the order that they are applied, whether you made them or they were created by checking COMMON, EXCEPTIONS rule sets. *** ***
PLEASE NOTE: *** Also note that when we refer to "output", it means that it applies to packets leaving that interface and when "input" is used, it means that the packet is coming into that interface. So for example, when an internal client sends a packet out to the internet it will go "in" the internal NIC and "out" the external NIC, the return packet will be reverse. Lets go over the rule sets: (Please note: some rules will overlap regarding what they filter. Since rules are applied only until one matches, this should not make a difference) 1) Block all traffic - By enabling this rule set, it will basically set up one rule. Block everything, both input and output. If you select this on the interface that you are using to connect to the NetMAX, you will lose your connection once it is enabled and the changes are committed. Once we get to the CUSTOM tab we will go over the individual rules that are created. 2) Block all UDP traffic - This rule set will stop any UDP packets coming in or going out. That means, no matter what the packet is, if it is UDP it will be blocked. 3) Block all standard services (incoming) - This rule set will generate a rule blocking all incoming traffic, both TCP and UDP, on ALL ports from 1-1024. Ports 1-1024 are what are known as "reserved or assigned" ports. These ports all have a certain service defined for them in RFC 1700. So this rule basically blocks access to any standard services (such SMTP) that are running on the NetMAX. Again, this is only blocking incoming traffic. Traffic will still be able to go out and in on higher numbered ports and even go out on ports lower then 1024 (but can't get an answer back to those ports, since it would be coming in). 4) Block common standard services - (Email, DNS, LDAP, News, WWW, FTP, Login, X) - This rule set does the same thing that the previous rule set does, except, instead of blocking all ports from 1-1024 it only blocks the standard ports for the services listed in the parenthesis; Email (25, 109, 110, 143, 465, 993, 995), DNS (53), LDAP (389), News (119, 563), WWW (80, 443), FTP (21, 20, 47, 69, 115, 152), Login (23, 514, 992, 22), X (541, 6000-6063). Again, this rule only blocks incoming packets on both TCP and UDP. Even though traffic will be able to go out on these ports, traffic coming back in on these ports will be blocked, effectively stopping all communication on these ports. 5) Block all file sharing services (CIFS, NFS, AppleShareIP) - This rule set will prevent any users from accessing the shares that any one of your internal clients might have left open to the Internet, including the NetMAX itself. Also note that if you have enabled NAT, you have pretty much stopped any one from directly initiating a connection to them anyway (since they have private, non-routable IPs). This rule set generates rules that block input and output for ports 445, 137, 138, 139, 1110, 548, 2049, and 111 on both TCP and UDP. Also any DDP (Datagram Delivery Protocol) packets (either going out or in) will be blocked. **NOTE: There are ports (1110 and 2049) in this rule set that are not in the Block all standard services rule set. 6) Block all incoming NetMAX administration - This rule set will basically stop anyone from connecting to port 5150, which is the default port for connecting to the NetMAX, web based administrative interface. This will not block telnet, SSH, or any other service that is running on the NetMAX, whether you are using it to administer the NetMAX or not. 7) Block all incoming email to network machines - This rule set will block SMTP ports 25 and 465, for any server on your network for both TCP and UDP, input only to protect your internal mail servers from Internet users. Again, if you are running NAT, this probably will not be necessary. 8) Block common denial of service attacks (incoming and outgoing) - This rule set will block (both TCP and UDP) common ports that are used in DoS attacks. These ports are: 19, 4, 7, 69, 95, 111, 161, 177, 540, 2049, 1110 and DDP packets (see #5 for details on this). These ports are blocked as INPUT AND OUTPUT, So no one will be able to send packets on these ports from the inside either. This rule will disable PING and other services like SNMP in BOTH directions!! Also remember, with a NetMAX firewall there really is no way just to block incoming pings (ICMP ECHO REQUESTS) and alow outgoing ping replies (ICMP ECHO REPLIES) to come back in. Either you allow pings, or you don't. 9) Block IP address spoofing attacks (external traffic with internal IP addresses) - This rule set is pretty much self-explanatory. Most IP spoofing attacks involve IP packets that have been edited to have a Private IP address for a source address, spoofing their actual source IP address. This rule automatically sets up firewall rules blocking any IP packets with internal source addresses from entering the internal network through the external NIC. Below is an example of what you might see:
IP Net mask All of the IPs and their netmasks listed above are reserved and should not be used on the Internet. ** NOTE: this rule assumes your "external" IP is not in this range. In other words, if your NetMAX's gateway is already behind a NAT, then this rule will block your external access. (e.g. your CISCO router is translating your real IPs to 10.0.0.0 addresses, using static NAT) ** Again, these are "canned" common rule sets to help you implement you're a basic firewall. These rules are very general, and may not implement the security you are looking for (look at rule #9's NOTE). Every network is unique. To implement true, custom security, you should use custom rules, alter these canned rule sets, or use a combination of custom and canned rule sets. If you are not experienced in firewall rule creation we suggest staying with the pre-configured rules or contacting our support engineers for a consultation. Lets review the Exception rules. Click on the EXCEPTIONS tab now. Back
to Top of the Document SECTION 5. FIREWALL SET-UP AND EXCEPTIONS TAB You should now be at the EXCEPTIONS screen:
Again,
we have inserted labels to help better indicate the items on the screen. Lets go over the rule sets for exceptions: 1) Allow external access to this NetMAX server's web server - Because the NetMAX is set up to be a module server, i.e. you can add the Intranet Server Suite to a FireWall product and get web server functions on the firewall box, we have set up standard rules to help you utilize these "optional" functions should you decide to add them. This rule assumes that you have added a WebServer (Internet Server Suite) (or Professional) license number to your NetMAX and are planning to host a public web site on your NetMAX. So this rule set will generate rules:
So two rules are generated to allow a port to be open and accessed. Unless you know exactly which port the outside end is starting from (their source port), you will need to make at least two rules like we have done here. Here is a diagram showing a typical TCP connection from multiple web clients (browsers) to our webserver's TCP service on port 80:
Notice that when you request a web page (HTTP request) from a webserver's static destination port (typically the server "listens" on port 80 for requests), your source port is typically dynamically generated by your client (web browser) and may be any number above port 1024. Ports below 1024 are "reserved" (See sections on common rules for more detail on this.). This "source port" is almost always random and is picked either by the application you are in (e.g. web browser, FTP client, etc.) or the OS (TCP/IP stack). Once you have made a "connection" over TCP, both machines will typically talk on those ports for the entire duration of the connection. In other words, if you connect to a web server on port 80, the web server would not start another connection for its replies, it would just reply from port 80 to the port that you originated from. So the connection would go something like this:
This "two way" communication is why you need two rules. Because the client's source port is dynamic (you don't know what port the client will pick) you have to choose any and can't just create a single input/output rule on port 80. The first rule that this exception rule set creates will allow the request packet to come in and will let the reply packet to go back out!
Note: This rule set does not allow access to web servers behind the NetMAX, but only to web servers running on the NetMAX itself! 2) Allow external access to this NetMAX server's sendmail server - Because the NetMAX is set up to be a module server, i.e. you can add a WebServer product to a FireWall product and get web server functions on the firewall box, we have set up standard rules to help you utilize these "optional" functions should you decide to add them. This rule set assumes that you have added a WebServer (or Professional) license number to your NetMAX and are planning to host mail (SMTP) on the same box as your NetMAX. So this exception rule set will generate rules:
If you are not sure why there are two rules generated please see the explanation for the first exception rule set, above. 3) Allow external access to this NEtMAX server's IMAP and pop servers - Because the NetMAX is set up to be a module server, i.e. you can add a WebServer product to a FireWall product and get webserver functions on the firewall box, we have set up standard rules to help you utilize these "optional" functions should you decide to add them. This rule set assumes that you have added a WebServer (or Professional) license number to your NetMAX and are planning to host mail (IMAP and POP3) services on the same box as your NetMAX. So this exception will generate rules:
If you are not sure why there are two rules generated please see the explanation under the first exception rule set, above. 4) Allow external access to this NetMAX server's FTP server - Because the NetMAX is set up to be a module server, i.e. you can add the WebServer to a FireWall product and get web server functions on the firewall box, we have set up standard rules to help you utilize these "optional" functions should you decide to add them. This rule set assumes that you have added a WebServer, FileServer, or Professional license number to your NetMAX and are planning to host FTP services on the same box as your NetMAX. So this exception will generate rules:
*** Notice that there are four rules this time, because we also had to control UDP. Although you can have as many ports on a rule as you want, you can only select one protocol type per rule. In version 3.0+ we have added a protocol type alias "TCP and UDP" so that rules likes this could actually be combined into two rules instead of four (in version 3.0+ only). An example is below:
If you are not sure why there are two rules generated per protocol type please see the explanation on exception rule set #1. 5) Allow external access to this NetMAX server's news server - Because the NetMAX is set up to be a module server, i.e. you can add the WebServer to a FireWall product and get web server functions on the firewall box, we have set up standard rules to help you utilize these "optional" functions should you decide to add them. This rule set assumes that you have added a Professional license number to your NetMAX and are planning to host News (NNTP) service on the same box as your NetMAX. So this exception will generate rules:
If you are not sure why there are two rules generated per protocol type please see the explanation on exception rule set #4. 6) Allow external access to this NetMAX server's DNS server - NetMAX FireWall and Professional products have DNS (Domain Name Server) configuration functionality in the interface. This rule set will allow the NetMAX to communicate with other domain name servers, and allow people (resolvers) to query the NetMAX's domain name service. So this exception will generate the following rules:
7) Allow this NetMAX server to access other external DNS servers - This rule set is similar to exception rule set #6, except instead of allowing any source port to connect, it will only allow connections starting from source port 53 going to destination port 53, allowing such things as zone transfers between DNS servers.
8) Allow external access to this NetMAX server's LDAP server - Because the NetMAX is set up to be a module server, i.e. you can add the WebServer to a FireWall product and get web server functions on the firewall box, we have set up standard rules to help you utilize these "optional" functions should you decide to add them. This rule assumes that you have added a Professional license number to your NetMAX, and are planning to host an LDAP server on the same box as your NetMAX. So this exception will generate the following rules:
9) Allow external login access to this NetMAX server - Notice that this rule set does not mention the web interface, just login access, so this will only open telnet and SSH access. Here are the rules that are generated:
10) Allow network diagnostics (Ping, Traceroute) - If enabled, this rule set will allow pings (ICMP echoes) and trace route to pass through the firewall. Remember, you can't block ping in only one direction!! Either you can have it allowed or not. Here are the rules: These 2 rules are for traceroute:
This is for ping (pings are a form of ICMP traffic):
** This is the first time we see the term Network IP. This may seem a little vague, but what it means is any IP address on a network to which the NetMAX is connected. For example, if the IP addresses for your NetMAX are the following: eth0
: 192.168.0.1 netmask:255.255.255.0 The Network IP range would include the IP addresses of 192.168.0.1-192.168.0.254, and 10.0.0.1-10.0.0.254. Using Network IP would be the same as entering this range manually. 11) Allow external access to internal MicrosoftVPN servers - This rule set will open the ports necessary to allow Microsoft VPN (PPTP) traffic to be allowed through. Here are the rules:
Notice that the last rule only allows GRE protocol through, and though the template does not do this, you could actually combine the two first rules into one by choosing input and output like what is chosen for the third rule. **** IMPORTANT: THIS RULE WILL NOT LET VPN GO THROUGH AN IP NAT, IF YOU ARE USING PRIVATE (10.x.x.x, 192.168.x.x, 172.16.x.x-172.31.x.x) IP ADDRESSES, THEN YOU ARE PROBABLY USING NETMAX'S IP NAT FUNCITONALITY AND VPN WILL NOT WORK THROUGH IT. THIS IS A LIMITATION OF THE IP MASQUERADING MODULE AND THE VPN PROTOCOLS. THERE IS AN UNSUPPORTED KERNEL PATCH THAT IS POSTED ON OUR WEB SITE, THAT YOU CAN USE AT YOUR OWN RISK TO GET MICROSOFT VPN TO WORK THROUGH AN IP NAT THAT USES IP MASQUERADING, TECH SUPPORT DOES NOT SUPPORT THIS. THIS RULE SET WILL ONLY WORK IF YOUR ENTIRE NETWORK IS ROUTABLE (NON-PRIVATE) **** 12) Allow all Network Time Protocol (NTP) traffic - This rule set allows clients and the NetMAX itself to connect to "time" servers to synchronize their clocks. If your network time client does not use NTP then this rule will not help you. Here are the rules:
This will provide connections in both directions, i.e. you can run your own internal NTP server if you want. 13) Allow common workstation traffic (WWW, DNS, FTP, Gopher, WAIS, Domain) - Like most of these exceptions rule sets, this rule set makes openings in your firewall. If you do not have these ports blocked, then there would be no reason to use this rule set. Even though some exceptions will have "deny" rules, you should not depend on exceptions rule sets to provide all of the "blocking" for your firewall, you should make individual deny rules. Here are the rules for this rule set:
This is the most complex rule set so far. First thing you will notice is that there are a couple of deny rules. The first 2 rules allow your internal clients to send requests out to the ports listed on outside servers. The third and fourth rules stop people from initiating connections from the outside to the NetMAX or your clients, if you are not using NAT. If you are using NAT, there is no way for some one to connect to your internal machines unless you implement traffic rerouting). The fifth and sixth rule allow the servers you connected to in the first two rules to reply back to you. Just by looking at the rules above, it might look like you are allowing outgoing traffic but stopping incoming (rules c, d) traffic. In reality, rules d and e are just blocking TCP SYN packets. When TCP is starting a connection it does a "hand shake" this "hand shake" is part of a TCP connection. Every TCP connection must do this. Briefly, here is how it works:
After computer B sends the ACK, then and only then, can communication begin. By blocking SYN (incoming) we have effectively stopped someone from initiating a TCP connection in through the ports we opened for us to go out! Notice that we only block SYN coming in, not going out, so we can initiate a TCP connection to an outside server, but they cannot initiate a TCP connection with us. They can only communicate over an already established TCP connection. NOTE: UDP (and some other protocols) are "connectionless" protocols and do not do this handshake, or establish a "connection". This makes them faster, but also unreliable. This is why there is no UDP w/SYN option on the firewall. Another
note about this rule set is that these rules do not allow our internal
client to query external DNS directly. These rules only allow the NetMAX
to query external DNS. If you are pointing your clients to your ISP's
DNS servers, they will not be able to resolve names! (Assuming that
you have chosen to block port 53 elsewhere, since this is an exception
only).
15) Allow ICQ traffic - Even though ICQ is a third party application we have included this rule set to help you open ICQ up through the firewall. Please note that your situation may vary and we are not responsible if ICQ changes or adds ports to their service. Here are the individual rules that this rule set makes:
16) Allow all internal machines access to external news server - This rule set will only allow internal clients to access external news servers. That is why there is a deny rule as the first rule. Notice, this is a deny TCP w/SYN!
Again, the first rule will stop any one from initiating a connection to the NetMAX or any internal client machine's News Server. 17) Allow Internet Phone clients - This will basically open port 22555 for any Network IP (UDP) which is the default port that VocalTec(tm)'s Internet Phone program uses.
We have now finished looking at how the exceptions work and you should have a good idea on how to open up ports now for your own applications. Most applications will tell you which ports they use and how (i.e. who starts the connection etc.). On our knowledge base there are links to help you with other applications and protocols, FTP for example. Lets move on to the custom tab now. Back
to Top of the Document SECTION 6. FIREWALL SET-UP AND CONFIGURATION - CUSTOM TAB Now we are at the CUSTOM screen:
Again, we have inserted labels to help better indicate the items on the screen. *** IMPORTANT: Creating custom rules is for users that have experience creating firewalls. If you are not experienced in firewall rule creation we suggest staying with the pre-configured rules or contacting our support engineers for a consultation. C) CUSTOM - This tab is where you would go to create your own firewall rules, in addition to, or instead of the template rule sets listed under the COMMON and EXCEPTIONS tab. *** NOTE: This is also where all the rules are listed in the order that they are applied, whether you made them or you created them by checking COMMON, EXCEPTIONS rulesets. *** We will go over how to create custom rules below.
Rules are checked starting from the top of the list and moving down. The first rule that is encountered that applies to the IP packet reaching the interface with the IP packet filtering firewall is "used", and the rest are skipped. This procedure is then repeated for each additional IP packet received. Lets go over creating a custom rule: first click on the CREATE button (marked 1 on diagram 1-9). You should this screen:
Again, we have inserted labels to help better indicate the items on the screen. A) ACTIONS - This tab is where you indicate what kind of rule it is (i.e. deny, accept etc.) and also whether it is for input or output. Essentially, this is where you tell the NetMAX what to the do with the packet once the NetMAX has it. B) ADDRESS - This tab is where you enter the packet details, IP address, ports, protocols etc. Basically, this is where you tell the NetMAX what to look for in the packet, then do the ACTION listed if it matches. Lets look at what each options does on this tab:
This diagram would apply to any interface. This is just to show what is meant by Input, Output and Forward. Notice that Forward actually "forwards" (routes) the packet through the interface and firewall. Basically Forward is for functions like NAT where you would create a rule Forward; Masq; from 10.0.0.0; to ANY . That rule would basically enable selective "NATing" where it would only IP Masquerade traffic (NetMAX's IP NAT) for 10.x.x.x addresses. 4) ACTION - This is what is to be done with the packet once it meets the criteria set under the ADDRESS tab (which we will get to later). The choices are:
You need to enable NAT (or Forward/Masq rules) on the interface that has the xx.xx.xx.xx IP address. When you check NAT on the interface option, you are actually creating the forward rule: forward; Masq; Any IP; to Any IP. Linux (2.2.x kernel based system) Masq does not support one-to-one NAT (sometimes called static NAT), meaning you cannot forward all traffic destined for one specific IP address to one specific internal non-routable IP address. 5) Enable Logging (check box) - This will enable logging of every instance of this rule being applied. This will only happen if the criteria are met under the ADDRESS tab (which we are soon getting too). This Log is kept in the /var/log/kernel.log file which can be viewed through the NetMAX Interface under Home->Reports->System Log->. Click on the kernel log file to view it (the paper icon, NOT the pencil icon). ** NOTE: logging ACCEPTS will log every packet that comes through, this might cause the log file to become very big very fast. This may also cause system resources to be exhausted (depending on how much traffic is being logged) and may potentially cause system instability ** The second part of creating the rule is setting the criteria; this can be done through ADDRESS tab. Let's click on the ADDRESS tab now:
Here are the parts for the ADDRESS tab: 1) Protocol - This is a pull down list that has all the transport layer protocols that our interface can filter. We have listed the 5 most common ones first: TCP - Transmission Control Protocol is the most common used protocol and the protocol that the World Wide Web uses. For more information on TCP please refer to: http://cnswww.cns.cwru.edu/net/odds-ends/rfc/rfc7 This includes any kind of TCP, regardless of the "flag", effectively shutting down or releasing TCP traffic. TCP/SYN flag - This was already explained in the EXCEPTIONS tab under the "Allow common workstation traffic" section. This will basically stop people (whether internal or external, depending on whether you choose input or output) from initiating a TCP connection. UDP - User Datagram Protocol is a connectionless protocol often used in applications where a certain percentage of packet loss is acceptable. (e.g. video conferencing, messaging, games etc.) TCP and UDP - Includes both the first and third options (saves us from making another rule for application protocols that use both). ICMP - Internet Control Message Protocol are essentially "pings", although ICMP also supports other network diagnostic functions. This is not TCP, so there are no port numbers assigned to these (since it is not a multiplexing protocol). The rest is a long list of protocols the interface can set filters for, remember as long as the traffic is IP based (we do NOT support IPX) the firewall can route it. Now we have circled two areas in the above screen shot in diagram 1-14; RED BOX - This is the "source" information of the IP header on the packet. Remember the SOURCE might be you or someone else depending whether you are filtering output, input or depending on which NIC you are placing the firewall rules. We will go through a rule below that will expand on this. BLUE BOX - This is the "destination" information of the IP header on the packet. Remember the DESTINATION might be you or someone else depending whether you are filtering output, input or depending on which NIC you are placing the firewall rules. We will go through a rule below that will expand on this. We will now go through making one rule set to open a port. We say rule set because it will be very rare that you can "open" access to a network service with just one rule. We will create a rule set for opening TCP port 80 and blocking everything else. The rule set will appear as illustrated in diagram 1-15.
Again, we have inserted labels to help better indicate the items on the screen. **** It is always recommended that you place all rules (for blocking people out) on your external interface only. It is more secure and you will avoid locking yourself out of the netmax interface. **** These rules assume you are editing the firewall on the EXTERNAL interface and are described as follows: 1) This rule will allow traffic that is starting on the internal clients and going out to the Internet. Remember, Network IP means the network range for ALL interfaces on the NetMAX. This is explained under the EXCEPTIONS page under rule number 10. Notice that for the ports we have used http instead of specifying port 80 numerically. You can use common port names (http, https, ftp, netbios, etc. all must be lower case) where the reference file for these ports names are in the /etc/services (text file). In this case, http=80. Had we entered port 80 instead, the rule would be exactly the same. 2) This rule will allow all TCP traffic to come in as long as it starts from the source's (outside computer) port 80. 3) This rule Blocks ALL traffic coming in or out regardless of protocol, IP address or port. This rule set will allow you to communicate on only port 80 now. But this setup does leave a minor "hole". With these rules, you will be able to surf out but some one will also be able to come in, as long as their source port is 80 (this is possible with special tools). But we had to leave this port open to allow our replies to come back in. We can stop this though, by adding another rule:
Notice in diagram 1-16 we only added one rule, #2 - a deny rule. By looking on just the summary page, it seems like we are blocking all TCP traffic coming back, so why does this work? Rule #2 does not block all TCP but actually is only blocking TCP w/SYN. You will not be able to see that on this screen. You will have to click on the "pencil" then view the ACTIONS and ADDRESS pages. Under the ADDRESS tab, the protocol TCP/SYN is shown (diagram 1-17):
This will prevent external users from initiating a TCP (the protocol that HTTP uses) connection from the outside. While rule #3 will allow the web server to return packets through. So now, internal clients will be able to initiate a TCP connection to an external web server, but we have prevented external machines from initiating a TCP connection. CONCLUSION Using the same technique followed above, you should now be able to generate your own custom firewall rules and rule sets. You need only follow the above steps, except replace the IP address and/or port information to suit your needs. OPTIONAL CUSTOM RULES IMPLEMENTATION OPTION FOR VERSION 3.X CUSTOMERS NetMAX uses IPCHAINS as its firewall component. In product versions 3.0x and later, experienced users can add their own IPCHAINS rules in the file /etc/rc.firewall.local . The rc.firewall.local file was implemented in the 3.x release to help users import their own IPCHAINS rules. The file itself has nothing to do with NetMAX and NetMAX will never alter it in anyway. During a firewall commit after it is done running rc.firewall (where the NetMAX firewall rules are kept) it will check to see if rc.firewall.local exists and if it is executable. If it is, it will run it, so any rules in rc.firewall.local will be applied after rc.firewall, effectively overwriting any rules that conflict. To apply these newly added rules, you will have to re-commit the interface. Once again this is only suggested for experienced users. Back
to Top of the Document |
All
NetMAX materials are copyright, Cybernet Systems Corporation. Copyright
Notice 
Diagram
1-12: Packet Flow
