Firewall

NethServer can act as firewall and gateway inside the network where it is installed. All traffic between computers on the local network and the Internet passes through the server that decides how to route packets and what rules to apply. Firewall mode is enabled only if the system has at least one network interface configured with red role.

The Firewall application can be installed from Centro de software and includes:

  • Multi WAN support up to 15 connections

  • Gestión de reglas de firewall

  • Conformación del tráfico (QoS)

  • Reenvío de puertos

  • Reglas de enrutamiento para desviar tráfico en una WAN específica

  • Inspección profunda de paquetes (DPI, Deep Packet Inspection)

  • Smart search to quickly find existing rules or objects

  • Real time charts

Real time charts display traffic and service statistics collected by Netdata. To avoid performance penalty on slow hardware, Netdata is not part of the firewall application and can be installed from Centro de software.

Apply and revert

Every time the firewall configuration has been changed, modifications are not applied immediately but saved in a temporary store. For the changes to take effect, click on the Apply button at the top right corner of the page.

As long as the new rules created have not been applied, you can revert all changes by clicking the Revert button at the top right corner of the page.

Política

Cada interfaz se identifica con un color que indica su función dentro del sistema. Véase red-sección.

Cuando un paquete de red pasa a través de una zona de cortafuegos, el sistema evalúa una lista de reglas para decidir si el tráfico debe ser bloqueado o permitido. Políticas son las reglas predeterminadas que se aplicarán cuando el tráfico de red no coincide con los criterios existentes.

Las políticas de firewall permiten el tráfico entre zonas según este esquema:

GREEN -> BLUE -> ORANGE -> RED

El tráfico se permite de izquierda a derecha, bloqueado de derecha a izquierda.

To display the list of active policies click on the Policies button inside the Rules page.

Policies can be changed by creating specific rules between zones from the Rules page or by accessing the Traffic to Internet section inside the Settings page.

Settings

In this section you can change standard firewall behavior.

Traffic to Internet

The default firewall policy allows all traffic from green to red interfaces (Internet). To change the default policy for Internet access, enable or disable the Traffic to Internet (red interface) option. If disabled all traffic from green to red network is blocked. Specific traffic can be allowed creating rules from Rules page.

Traffic between VPNs

By default traffic between different VPN tunnels is not allowed, but sometimes you would need to allow it like when a OpenVPN roadwarrior client should reach a remote resource behind an IPsec tunnel. To permit traffic between VPNs, just enable the Traffic between OpenVPN roadwarrior, OpenVPN tunnels and IPSec tunnels option. Extra block rules can be created from Rules page to customize the network access between VPN zones.

Ping from Internet

Allows NethServer to answer ICMP requests from red interfaces (Internet).

Hairpin NAT

By default, all port forwards are available only for hosts inside the WAN. When Hairpin NAT is active, hosts on the local zones will be able to reach forwarded ports using both public and private firewall IP addresses.

Whenever possible it is recommended to avoid enabling this option and correctly configure split DNS to resolve service names inside the LAN.

If hair-pinning is still required, check the Enable hairpin NAT option.

Nota

This functionality requires NethServer to have a public IP address on the red interface.

Application Layer Gateway (ALG)

Application layer gateways handle dynamic firewall rules for certain protocols. Many ALGs are enabled by default on NethServer, to allow some protocols (such as FTP, SIP, etc) to operate through NAT. ALGs inspect and rewrite specific network packets and automatically open required ports.

Enable SIP-ALG and H.323-ALG

Some PBXs may not work properly with SIP-ALG and H.323-ALG. In case of audio and call problems with your PBX or your VoIP client try to disable them.

Enlace IP/MAC

The firewall can use the list of DHCP reservations to strictly check all traffic generated from hosts inside local networks. DHCP server should could be disabled but the administrator must still create reservations to associate the IP with a MAC address. See Servidor DHCP y PXE for more details.

When IP/MAC binding is enabled, the administrator will choose what policy will be applied to hosts without a DHCP reservation. The common use is to allow traffic only from known hosts and block all other traffic. In this case, hosts without a reservation will not be able to access the firewall nor the external network.

Para habilitar el tráfico sólo desde hosts bien conocidos, siga estos pasos:

  1. Crear una reserva DHCP para un host

  2. Vaya a la página Reglas firewall y seleccione Configurar en el menú de botones

  3. Seleccione Validación MAC (enlace IP/MAC)

  4. Choose Block traffic as the policy to apply to unregistered hosts

Nota

Remember to create at least one DHCP reservation before enabling the IP/MAC binding mode, otherwise, no hosts will be able to manage the server using the web interface or SSH.

Reglas

Rules apply to all traffic passing through the firewall. When a network packet moves from one zone to another, the system looks among configured rules. If the packet matches a rule, the rule is applied.

Nota

El orden de la regla es muy importante. El sistema siempre aplica la primera regla que coincide.

A rule consists of five main parts:

  • Acción

  • Fuente

  • Destino

  • Service (optional)

  • Time condition (optional)

Las acciones disponibles son:

  • ACCEPT: acepta el tráfico de red

  • REJECT: bloquea el tráfico y notifica al host remitente

  • DROP: bloquea el tráfico, los paquetes se eliminan y no se envía ninguna notificación al host del remitente

Source and destination fields accept built-in roles, Objetos del cortafuego and raw IPv4 addresses or CIDR. Such raw addresses can be later converted to firewall objects using the Create Host and Create CIDR subnet actions which will appear next to the address itself.

If VPN application is installed, there are also two extra zones available:

  • ivpn: all traffic from IPSec VPNs

  • ovpn: all traffic from OpenVPN VPNs

The configuration of firewall rules is split into two different pages:

  • Rules: manage rules applied only to the network traffic traversing the firewall.

  • Local rules: manage rules applied only to the network traffic generated from the firewall, or directed to the firewall itself.

When creating new rules, only the most common fields are shown. To show other less common parameters click the Advanced label.

Nota

If no red interface has been configured, the firewall will not generate rules for blue and orange zones.

REJECT vs DROP

As a general rule, you should use REJECT when you want to inform the source host that the port which it is trying to access is closed. Usually, the rules on the LAN side can use REJECT.

For connections from the Internet, it is recommended to use DROP, in order to minimize the information disclosed to any attacker.

Registro

When a rule matches the ongoing traffic, it’s possible to register the event on a log file by checking the option from the web interface. Firewall log is saved in /var/log/firewall.log file. The log can be inspected from the command line or using the Logs page.

Inspección profunda de paquetes (DPI, Deep Packet Inspection)

Deep Packet Inspection (DPI) is an advanced packet filtering technique.

When the DPI module is active, new items for the Service field are available in the Edit rule form. Those items are labeled DPI protocol, among the usual network service and service object items.

The DPI module uses the nDPI library which can identify around 250 types of network traffic split in network protocols (eg. OpenVPN, DNS) and web applications (eg. Netflix, Spotify).

Firewall rules using DPI services are generated inside the mangle table, for this reason such rules have some limitations:

  • reject action is not supported, use drop to block traffic

  • any and firewall can’t be used as source or destination

  • route to provider X action is not supported: the identification of the protocol often begins after the connection has been already established, so the routing decision can’t be changed

Even if DPI can identify traffic to/from specific web sites such as Facebook, it is better suited to block or shape protocols like VPN, FTP, etc. Web site access should be regulated using Proxy web.

Note that some DPI protocols (such as Amazon) can match large CDNs, so please do not block such protocols using DPI rules unless you want to prevent access to thousands of sites.

DPI markers are automatically applied also to the traffic which originates from the firewall itself, like HTTP traffic from the web proxy.

The complete list of DPI protocols, along with counters for matched traffic, is available inside the DPI page under the Status category on the left menu.

Rules on existing connections

When a new rule is created, as default, it is applied only to new connections. But in some scenarios, the administrator may need to apply the rule also on established connections.

If the option Apply to existing connections is enabled, the rule will be applied to all connections including already established ones.

Ejemplos

A continuación hay algunos ejemplos de reglas.

Bloquear todo el tráfico de DNS de la LAN a Internet:

  • Acción: REJECT

  • Fuente: verde

  • Destino: rojo

  • Servicio: DNS (puerto UDP 53)

Permitir que la red de invitados tenga acceso a todos los servicios que escuchan en Servidor1

  • Acción: ACCEPT

  • Fuente: azul

  • Destino: Servidor1

  • Servicio: -

WAN

The term WAN (Wide Area Network) refers to a public network outside the server, usually connected to the Internet. A provider is the company that actually manages the WAN link.

All WAN network interfaces are labeled with the red role and are listed on the top of the page, just below bandwidth usage charts. Rules can be created under the Rules section on the same page.

If the server has two or more configured red interfaces, it is required to correctly fill, Download bandwidth and Upload bandwidth fields from the Network page. Download and upload bandwidth can be automatically calculated using the Speedtest button.

Each provider represents a WAN connection and is associated with a network adapter. Each provider defines a weight: the higher the weight, the higher the priority of the network card associated with the provider.

The system can use WAN connections in two modes:

  • Balance: todos los proveedores se utilizan simultáneamente según su peso

  • Activar copia de seguridad: los proveedores se utilizan uno a uno al vuelo con el que tiene el peso más alto. Si el proveedor que está utilizando pierde su conexión, todo el tráfico se desviará al proveedor siguiente.

Para determinar el estado de un proveedor, el sistema envía un paquete ICMP (ping) a intervalos regulares. Si el número de paquetes perdidos excede un determinado umbral, el proveedor está deshabilitado.

El administrador puede configurar la sensibilidad de la supervisión mediante los siguientes parámetros:

  • Porcentaje de paquetes perdidos

  • Número de paquetes perdidos consecutivos

  • Intervalo en segundos entre paquetes enviados

To change WAN mode and link monitoring options click on Configure button.

The network traffic can be routed to specific WANs by creating rules inside the Rules section on this page. After creating or editing rules, make sure to apply the changes. See Apply and revert for details.

Ejemplo

Dados dos proveedores configurados:

  • Proveedor1: interfaz de red eth1, peso 100

  • Proveedor2: interfaz de red eth0, peso 50

Si se selecciona el modo equilibrado, el servidor encaminará un número doble de conexiones en Proveedor1 sobre Proveedor2.

Si se selecciona el modo de copia de seguridad activa, el servidor enrutará todas las conexiones en Proveedor1; Sólo si Proveedor1 se vuelve inasequible las conexiones se redirigirán a Proveedor2.

Reenviar puerto

The firewall blocks requests from public networks to private ones. For example, if a web server is running inside the LAN, only computers on the local network can access the service in the green zone. Any request made by a user outside the local network is blocked.

Para permitir que cualquier usuario externo acceda al servidor web, debe crear una remisión de puerto. Una remisión de puerto es una regla que permite un acceso limitado a los recursos desde fuera de la LAN.

Al configurar el servidor, debe elegir los puertos de escucha. El tráfico de las interfaces rojas se redireccionará a los puertos seleccionados. En el caso de un servidor web, los puertos de escucha son generalmente el puerto 80 (HTTP) y 443 (HTTPS).

Cuando cree un puerto hacia adelante, debe especificar al menos los siguientes parámetros:

  • El puerto fuente

  • El puerto de destino, que puede ser diferente del puerto de origen

  • The network protocol like TCP, UDP, TCP & UDP, AH, ESP or GRE

  • La dirección del host interno al que se debe redirigir el tráfico

  • It’s possible to specify a port range using a colon as the separator in the source port field (eg: 1000:2000), in this case, the destination port field must be left empty

Port forwards are grouped by destination host and support raw IP addresses along with firewall objects.

By default, all port forwards are available only for hosts inside the WAN, see Hairpin NAT to change such behavior.

Ejemplo

Dado el siguiente escenario:

  • Servidor interno con IP 192.168.1.10, denominado Servidor1

  • Servidor Web escuchando en el puerto 80 en Servidor1

  • Servidor SSH escuchando en el puerto 22 en Servidor1

  • Other services in the port range between 5000 and 6000 on Server1

Si desea que el servidor web esté disponible directamente desde redes públicas, debe crear una regla como esta:

  • puerto de origen: 80

  • puerto de destino: 80

  • Dirección del host: 192.168.1.10

All incoming traffic on the firewall’s red interfaces on port 80, will be redirected to port 80 on Server1.

En caso de que quiera hacer accesible desde fuera del servidor SSH en el puerto 2222, tendrá que crear un puerto hacia adelante de esta manera:

  • puerto de origen: 2222

  • puerto de destino: 22

  • Dirección del host: 192.168.1.10

All incoming traffic on the firewall’s red interfaces on port 2222, will be redirected to port 22 on Server1.

In case you want to make accessible from outside the server on the whole port range between 5000 and 6000, you will have to create a port forward like this:

  • Puerto de origen: 5000:6000

  • puerto de destino:

  • Dirección del host: 192.168.1.10

All incoming traffic on the firewall’s red interfaces on the port range between 5000 and 6000 will be redirected to the same ports on Server1.

Limitar el acceso

By default, the field access to port forward is granted to anyone. You can restrict access to port forward only from some IP addresses or networks by adding entries to Restrict access to field. This configuration is useful when services should be available only from trusted IPs or networks.

Example of valid entries:

  • 10.2.10.4: habilitar el puerto hacia adelante para el tráfico procedente de la IP 10.2.10.4

  • 10.2.10.0/24: habilita el reenvío del puerto sólo para el tráfico procedente de la red 10.2.10.0/24

SNAT 1:1

One-to-one source NAT (SNAT) is a way to make systems behind a firewall and configured with private IP addresses appear to have public IP addresses. If you have a bunch of public IP addresses and if you want to associate one of these to a specific network host, NAT 1:1 is the way. SNAT is available only if there is at least one IP alias configured on red network interfaces.

This feature only applies to network traffic from a host inside the local network to the public Internet. It does not affect in any way the traffic from the Internet toward the alias IP. If you need to route some specific traffic to the internal host use the port forward as usual.

Si necesitas enrutar todo el tráfico hacia el host de la red interna (no recomendado), utiliza un reenvío de puertos con protocolos TCP/UDP y puerto de entrada 1:65535

Ejemplo

In our network we have a host called example_host with IP 192.168.5.122. We have also associated a public IP address 89.95.145.226 as an alias of eth0 interface (RED).

Queremos mapear nuestro host interno (example_host - 192.168.5.122) con IP pública 89.95.145.226.

En el panel NAT 1:1, elegimos para el IP``89.95.145.226`` (campo de sólo lectura) el host específico (example_host) del cuadro combinado. Hemos configurado correctamente el NAT de uno a uno para nuestro host.

Conformación del tráfico

Traffic shaping allows applying priority rules on network traffic through the firewall. In this way, it is possible to optimize the transmission, control the latency and tune the available bandwidth.

To enable traffic shaping it is necessary to know the exact amount of available download and upload bandwidth. Access the Network page and carefully set bandwidth values.

If download and upload bandwidth are not set for a red interface, traffic shaping rules will not be enabled for that interface.

Nota

Be sure to specify an accurate estimate of the bandwidth on network interfaces. To pick an appropriate setting, please do not trust the nominal value, but use the Speedtest button or online tools to test the real provider speed.

In case of congestion by the provider, there is nothing to do in order to improve performance.

Traffic shaping classes are used to commit bandwidth for specific network traffic. Configuration of traffic shaping is composed of 2 steps:

  • creation of traffic shaping classes

  • assignment of network traffic to a specific class

Classes

Traffic shaping is achieved by controlling how bandwidth is allocated to classes.

Each class can have a reserved rate. A reserved rate is the bandwidth a class will get only when it needs it. The spare bandwidth is the sum of not committed bandwidth, plus the committed bandwidth of a class but not currently used by the class itself.

Each class can have also a maximum rate. If set, the class can exceed its committed rate, up to the maximum rate. A class will exceed its committed rate only if there is spare bandwidth available.

Traffic shaping classes can be defined under Traffic shaping page. When creating a new class, fill the following fields.

  • Class name: a representative name

  • Description: optional description for the class

Limits under Download bandwidth limits section:

  • Min: minimum reserved download bandwidth, if empty no download reservation will be created

  • Max: maximum allowed download bandwidth, if empty no upper limit will be set

Limits under Upload bandwidth limits section:

  • Min: minimum reserved upload bandwidth, if empty no upload reservation will be created

  • Max: maximum allowed download bandwidth, if empty no upper limit will be created

For each class the bandwidth can be specified using the percentage of available network bandwidth or with absolutes values expressed in kbps. As default, a traffic shaping class is applied to all red network interfaces. Such behavior can be changed by selecting an existing red interfaces under the Bind to menu inside the Advanced section.

The system provides two pre-configured classes:

  • high: generic high priority traffic, can be assigned to something like SSH

  • low: low priority traffic, can be assigned to something like peer to peer file exchange

The system always tries to prevent traffic starvation under high network load.

Classes will get spare bandwidth proportionally to their committed rate. So if class A has 1Mbit committed rate and class B has 2Mbit committed rate, class B will get twice the spare bandwidth of class A. In all cases, all spare bandwidth will be given to them.

Network traffic can be shaped by creating rules under the Rules section in this page. After creating or editing rules, make sure to apply the changes.

For more info, see FireQOS tutorial.

Objetos del cortafuego

Los Objetos del cortafuego son representaciones de componentes de red y son útiles para simplificar la creación de reglas.

Hay 6 tipos de objetos, 5 de ellos representan fuentes y destinos:

  • Host: representing local and remote computers. Example: web_server, goofy_pc

  • Groups of hosts: representing homogeneous groups of computers. Hosts in a host group should always be reachable using the same interface. Example: servers, router

  • IP ranges: a list of IP addresses expressed as a range. Example: myrange, composed by IPs from 192.168.1.100 to 192.168.1.120

  • CIDR Networks: you can express a CIDR network in order to simplify firewall rules.

    Example 1 : last 14 IP addresses of the network are assigned to servers (192.168.0.240/28). Example 2 : you have multiple green interfaces but you want to create firewall rules only for one green (192.168.2.0/24).

  • Zone: representing networks of hosts, they must be expressed in CIDR notation. Their intended usage is for defining a part of a network with different firewall rules from those of the nominal interface. They are used for very specific needs.

    Nota

    De forma predeterminada, todos los hosts pertenecientes a una zona no pueden realizar ningún tipo de tráfico. Es necesario crear todas las reglas en el cortafuegos para obtener el comportamiento deseado.

  • Time conditions: can be associated to firewall rules to limit their effectiveness to a given period of time.

    Nota

    Las reglas que tienen condiciones de tiempo se aplican sólo para nuevas conexiones. Ejemplo: si está bloqueando conexiones HTTP de 09:00 a 18:00, las conexiones establecidas antes de las 09:00 serán permitidas hasta que se cierre. Cualquier nueva conexión después de las 09:00 será eliminada.

  • Services: a service listening on a host with at least one port and protocol. Example: ssh, https

  • MAC addresses: a host identified by a MAC address. The MAC address must be bound to an existing zone.

Al crear reglas, puede utilizar los registros definidos en DNS y Servidor DHCP y PXE como objetos host. Además, cada interfaz de red con un rol asociado se lista automáticamente entre las zonas disponibles.

Connections

This page keeps track of all active connections. Connections can be filter by Protocol and State. The list of connections is not refreshed in real time. To list new connections click the Refresh button.

The administrator can delete a single connection or flush the whole connection tracking table using Delete all connections button.