Firewall and gateway (new)

Note

This chapter describes changes introduces by the Firewall application in the new Server Manager. Basic firewall behavior is unchanged and describe inside Firewall and gateway.

Please note that some changes made in the new Server Manager may not be reflected in the old one.

General

Main differences from the old Server Manager:

  • the rules panel has been split into 3 different pages:
  • all pages use Apply and revert behavior
  • smart search: on most panels the full text search can be used to quickly find existing rules or objects
  • advanced properties: when creating new rules, only the most common fields are shown. To show other less common parameters click the Advanced label
  • raw address support: the user can use raw IP addresses (or CIDR) whenever creating a rule. Such raw addresses can be later converted to firewall objects using the Create Host and Create CIDR subnet actions which will appear next to the IP address
  • real-time charts: many pages has real-time charts displaying data from netdata. Since netdata is not installed by default, you can install it from Software center.
  • list of active Connections

Apply and revert

Every time the configuration has been changed, modifications are not applied immediately but saved in a temporary store. For the changes to take effect, click on the Apply button at the top right corner of the page.

As long as the new rules created have not been applied, you can revert all changes clicking the Revert button at the top right corner of the page.

Dashboard

The dashboard displays the local firewall network topology along with the number of established connection, the count of configured objects and the list of active services.

WAN

All red interfaces are listed on the top of the page, just below bandwidth usage charts. Download and upload bandwidth can be automatically calculated using Speedtest button. Each red network interface can be also enabled and disabled directly from the list.

To change WAN mode and link monitoring options click on Configure button.

Rules can be created under the Rules section on the same page. After creating or editing rules, make sure to apply the changes.

Traffic shaping

Traffic shaping classes are used to commit bandwidth for specific network traffic. For each class the bandwidth can be specified using the percentage of available network bandwidth or with absolutes values expressed in kbps.

As default, a traffic shaping class is applied to all red network interfaces. Such behavior can be changed by selecting an existing red interfaces under the Bind to menu inside the Advanced section. Bound classes and bandwidth expressed in kbps are not usable inside the old Server Manager.

Rules can be created under the Rules section on the same page. After creating or editing rules, make sure to apply the changes.

SNAT

SNAT is available only if there is at least one IP alias configured on red network interfaces. See also sNAT 1:1.

Objects

Firewall objects page offer the same features as the old Server Manager.

Port forward

Port forwards are grouped by destination host and support raw IP addresses along with firewall objects.

The following protocols are supported only in the new Server Manager:

  • AH
  • ESP
  • GRE

For more info on port forward see the old Server Manager.

Rules

This page allows the management of rules applied only to the network traffic traversing the firewall. To create rules for the traffic from/to the firewall itself, see the Local rules.

A rule consists of five main parts:

  • Source
  • Destination
  • Service (optional)
  • Action
  • Time condition (optional)

Available actions are:

  • ACCEPT: accept the network traffic
  • REJECT: block the traffic and notify the sender host
  • DROP: block the traffic, packets are dropped and no notification is sent to the sender host

Rules support raw IP addresses and two extra zones:

  • ivpn: all traffic from IPSec VPNs
  • ovpn: all traffic from OpenVPN VPNs

Both zones are available only if VPN application is installed. Rules using such zones, can’t be modified from the old Server Manager.

Policies

To display active policies click on the Policies button. Policies are affected by changes on the Settings page.

Local rules

This page allows the management of rules applied only to the network traffic generated from the firewall, or directed to the firewall itself. The configuration is the same as Rules page.

Connections

This page keeps track of all active connections. Connections can be filter by Protocol and State. The list of connections is not refreshed in real time. To list new connections click the Refresh button.

The administrator can delete a single connection or flush the whole connection tracking table using Delete all connections button.

Settings

Global settings which affect the whole firewall behavior, like MAC validation. When the Traffic to Internet (red interface) option is changed, modifications are reflected inside the Policies section.