2.6.3. Firewall Settings Administrative Web Page

2.6.3.1. Settings

The first section allows you to control administrative access (via https and ssh) to specific networks (Green, Blue, OpenVPN, IPsec) as available.

Figure 2.43. Firewall settings

Firewall settings screenshot


Admin network.  Check the checkboxes beside each network interface you want to open for administrative access.

If you want ssh access, don't forget to enable it on the SSH Access page.

If a MAC address is set, it is combined, so if you enable both Green and Blue, and set a MAC address, only this machine has administrative access from both Green and Blue.

Additional rules for opening can be always made by creating firewall rules.

Advanced Mode.  Check this box to add several, less frequently used, options when you create firewall rules:

  • Option to limit logging.

  • Option to add a timeframe for when a rule will be active (say you want to open web browsing for your kids between 19:00 and 21:00 only, then this is how you do that).

  • Add custom interfaces.

  • Create rules for custom interfaces.

  • Add a Source Port to rules.

  • Add possibility to 'invert' Source, Destination, Source Port and Destination Service.

GUI Settings.  Show interface colors in rule overview.

Check this box to highlight the interface colors in the display of current rules on the Firewall Rules page.

Save.  Press the Save button to save your settings.

Reset.  Press the Reset button to revert settings to their defaults.

2.6.3.2. Interface policies

The second section shows the currently active interfaces and their log and policy settings.

Figure 2.44. Interface policies

Interface policies screenshot


For each interface there are several settings, first (most importantly) is the policy.

There are three policies:

Open.  This opens an interface to evenly secure and less-secure interfaces. This also opens access to IPCop services.

Half-open.  This opens access to IPCop services.

Closed.  Fully closes an interface. If access is needed from a "closed" interface a rule must be specifically created.

Note

There is no half-open policy for Orange.

There is only a closed policy for Red.

Logging.  With a simple click it is possible to disable logging on an interface. (This avoids filling your hard-disk with blocked attempted 'attacks' from the Internet).

Click the checkbox again to enable logging.

Default Deny action.  Reject or Drop.

The advice is to use Drop for Red, and Reject for all other interfaces.

Drop silently discards a packet. Reject refuses a packet and sends an ICMP 'port unreachable' back to the sender.

You probably do not want to use Reject for packets coming from the Internet, as this could potentially lead to DoS.

For internal interfaces using Reject is a good idea. A client gets an error message immediately and does not have to wait on a timeout.

Address Filter.  If Address Filter control is enabled, only those clients that are on the Address Filter list have access, depending on policy.

Clients that are not enabled in the Address Filter list can only use DHCP and can open IPsec and/or OpenVPN tunnels.

If Address Filter control is not enabled, all clients have access, depending on policy.

This only applies if you have a Blue network interface installed.

Action.  Click on the Yellow Pencil icon to edit a policy.

2.6.3.3. Default settings

Green is the only Admin network interface enabled by default.

Red Interface has 'closed' as default policy. All other interfaces have 'open'.

Red Interface has 'Drop' as Deny Action. All other interfaces have 'Reject'.

Logging is active on all interfaces.

Address Filter control is active.