Firewall

Overview

In computing, a firewall is a network security system that controls the incoming and outgoing network traffic based on an applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is assumed not to be secure and trusted.

Similar to many commercial stateful firewall appliances, RansNet Appliances utilizes a sophisticated ip tables engine built-into Linux kernel, together with some proprietary software to enforce strong perimeter defense for customer networks. The key functions of RansNet Appliance firewalling capabilities are:

  • stateful packet inspection
  • access control
  • IP address translation

The key functions of mbox firewalling capabilities are Stateful Packet Inspection, Access Control & IP Address Translation. With RansNet Appliances, we can configure all of the commonly used firewall rules as listed below:

  • Firewall-Access,
  • Firewall-Input,
  • Firewall-Dnat,
  • Firewall-Snat,
  • Firewall-Set, and
  • Firewall-Limit

There are a few key terminologies we need to understand as part of the configuration.

firewall-input. This is for permit/deny access to mbox services itself (eg. ssh, http)

firewall-access. This is for permit/deny traffic passing through mbox (eg. from inside to outside). There are three important behaviors of firewall-access rules.

  • when a packet reaches a firewall interface (either from inside or outside), the stateful firewall will check if the packet belongs to an existing session. if yes, it’s permitted automatically; if no, it will move on to check on the routing table, access rule, address translation rules etc etc.
  • any packets not belong to an existing session, neither explicitly permitted by access rules, will be DROPPED
  • firewall rules are checked in top-down sequence. once a rule is matched, it will not process further down to other rules. so it’s important to put more frequently used rules on the top for better performance.

firewall-dnat (change destination address of IP packet). This is typically for providing access from Internet to internal hosts. mbox changes packet destination headers (address or port number) as it passes through mbox (typical inbound access). There are two main scenarios:

  • Static NAT. One outside public IP to one internal IP translation. Typically for DMZ servers.
  • Port forwarding. One outside public IP but a few internal IP translations, but each internal host serves different applications (different protocol or port numbers).

firewall-snat (change source address of IP packets). This typically for providing access from inside/private network to Internet. mbox changes packet source header (address or port number) as it passes through mbox (typically for outbound access). Common implementation is also called Port Access Translation (PAT), which translates all internal hosts IP addresses to a single public IP (WAN interface IP addresses) but differentiate each connections by port numbers.

firewall-set (manipulate packet header fields). This is typically for QoS/traffic-shaping purposes by marking certain headers of the packet for further processing (by QoS rules or policy-based routing).

It is important to note that firewall-dnat/snat/set rules only change packet headers. In order for a packet to pass through RansNet Appliances, it still has to be permitted by access rules. So firewall-dnat/snat/set rules must be used together with access rules.

firewall-limit mbox can limit packets passing through the device at desirable rate to suppress some overloaded connections or prevent volumetric-based DDoS attacks. The simplest way to prevent volumetric-based DDoS attacks is to limit per host/connection bandwidth usage so that the packets coming in or towards a target destination will not be overwhelmed.

Understand Firewall Order of Operation

Diagram below illustrates how a packet is treated when it comes in and out from RansNet Appliances.

Image 2 : RansNet Firewall Packet Flow

NOTE

Default Firewall Rule are already configured when provisioning a Host.

The enabled Default firewall rules are different on Template Host Type (CMG, HSG, HSA, or UA).

Firewall rules can be combined with Global Firewalls on the CLI Configuration but can not be edited on the Host firewall Tab settings.

Firewall – Access Rule

User can access the Firewall-Access Rules from the dropdown menu under the tab when editing the Gateway. Users can click on the number in the ‘Rule No.‘ column to edit the rule.

Image 1 : List of Firewall-Access Rules

The fields of the Firewall-Access List are explained below:

S/NFieldsDescription
01.Rule No.Rule number to identify the Firewall-Access Rule
Note: Rule number cannot be replicated
02.OperationThe action of the rule.
03.InboundThe direction of the Traffic flow
04.OutboundThe direction of the Traffic flow
05.ProtocolThe type of protocol the rule will activate on.
06.SourceThe source IP/Network or IP range
07.Src PortThe source port for the specified IP/Network or IP range
08.DestinationThe Destination IP/Network or IP range that rule will get activated too
09.Dst PortThe Destination port for the specified IP/Network or IP range
10.RemarksUser’s input as the caption
11.ActionDisplays the delete icon to delete the particular ule.
Table 1 : The Fields of Firewall Access List

New Firewall Access Rule

To create new Firewall Access Rule, click on the Button as in Image 1.

Image 2 : New/Edit Firewall Access Rule Page

Settings of Firewall Access Rules

The Firewall Access Rule Settings consist of the Base and the Options sections as shown in Image 2 above. The collapsible section can be expanded to edit by clicking on the button on the section header.

Please see the Table 1 above for the explanations of the setting fields.

Firewall – Input Rule

User can access the Firewall-Input Rule from the dropdown menu under the tab when editing the Gateway. User can click on the number in the ‘Rule No.‘ column to edit the rule.

Image 3 : List of Firewall-Input Rules

The fields of the Firewall-Input List are explained below:

S/NFieldsDescription
01.Rule No.Rule number to identify the Firewall-Access Rule
Note: Rule number cannot be replicated
02.Operation/ActionThe action of the rule. (Permit/ Deny/Permit Log / Deny Log)
03.Direction/InboundThe direction of the Traffic flow
04.ProtocolThe type of protocol the rule will activate on.
05.Source/IPThe source IP/Network, IP range, Source MAC
06.Source/Src PortThe source port for the specified IP/Network or IP range
07.DestinationThe Destination IP/Subnet or IP range that rule will get activated too
08.Destination/Dst PortThe Destination port for the specified IP/Network or IP range
09.RemarksUser’s input as the caption
10.ActionDisplays the delete icon to delete the particular ule.
Table 2 : The Fields of Firewall Input List

New Firewall Input Rule

To create new Firewall Input interface, click on the Button as in Image 3.

Image 4 : New/Edit Firewall Input Rule Page

Settings of Firewall Input Rule

The Firewall Input Rule Settings consist of the Base and the Options sections as shown in Image 4 above. The collapsible section can be expanded to edit by clicking on the button on the section header.

Please see the Above Table 2 to add or edit rules accordingly.

Firewall – DNAT Rule

NOTE

When user need to map internal IP to a public IP address, the public IP address(es) have to be configured on the external WAN interface (as secondary IP) otherwise mbox will not respond to upstream ARP requests for the NAT address.

The firewall-access rule also must permit the respective inbound access to the private IPs.

User can access the Firewall-DNAT Rule from the dropdown menu under the tab when editing Gateway. User can click on the number in the ‘Rule No.‘ column to edit it.

Image 5 : List of Firewall-DNAT Rules

The fields of the Firewall DNAT List are explained below:

S/NFieldsDescription
01.Rule No.Rule number to identify the Firewall-Access Rule
Note: Rule number cannot be replicated
02.OperationThe action of the rule. (Translate, Exempt, Redirect)
03.InboundThe direction of the Traffic flow (Inbound / All)
04.ProtocolThe type of protocol the rule will activate on.
05.SourceThe source IP/Subnet, IP range
07.DestinationThe Destination IP/Subnet or IP range that rule will get activated too
08.Redirect Destination PortThe Redirect Destination port number
09.TransId Dst
10.TransId Dst Port
11.Redirect Dst Port
12.RemarksUser’s input as the caption
10.ActionDisplays the delete icon to delete the particular ule.
Table 3 : The Fields of Firewall Input List

New Firewall DNAT Interface

To create new Firewall DNAT Rule, click on the Button as in Image 5.

Image 6 : New/Edit Firewall Input Rules Page

Settings of Firewall DNAT Rule

The Firewall DNAT Rule Settings consist of the Base and the Options sections as shown in Image 6 above. The collapsible section can be expanded to edit by clicking on the  button on the section header.

Please see the Table 3 above for the explanations of the setting fields.

Firewall – SNAT Rule

User can access the Firewall-SNAT Rules from the dropdown menu under the tab when editing the Gateway. Users can click on the number in the ‘Rule No.‘ column to edit the rule.

Image 7 : List of Firewall-SNAT Rules

The fields of the Firewall-SNAT List are explained below:

S/NFieldsDescription
01.Rule No.Rule number to identify the Firewall-Access Rule
Note: Rule number cannot be replicated
02.OperationThe action of the rule. (Translate, Exempt, Redirect)
03.OutboundThe interface of the Traffic flow out
04.ProtocolThe type of protocol the rule will activate on.
05.SourceThe source IP/Subnet, IP range
06Source PortThe specific Source port the traffic goes out
07.DestinationThe Destination IP/Subnet or IP range that rule will get activated.
08.Destination/Dst Port The Destination port number
09.RemarksUser’s input as the caption
10.ActionDisplays the delete icon to delete the particular ule.
Table 4 : The Fields of Firewall SNAT List

New Firewall SNAT Rule

To create new Firewall SNAT interface, click on the Button as in Image 7.

Image 8 : New/Edit Firewall SNAT Rule Page

Settings of Firewall SNAT Rule

The Firewall SNAT Rule Settings consist of the Base and the Options sections as shown in Image 8 above. The collapsible section can be expanded to edit by clicking on the button on the section header.

Please see the Table 4 above for the explanations of the setting fields.

Firewall – Set Rule

User can access the Firewall-Set Rules from the dropdown menu under the tab when editing the Gateway. Users can click on the number in the ‘Rule No.‘ column to edit the rule.

Image 9 :  List of Firewall-Set Rules

The fields of the Firewall-Set List are explained below:

S/NFieldsDescription
01.Rule No.Rule number to identify the Firewall-Access Rule
Note: Rule number cannot be replicated
02.OperationThe action of the rule. (Inbound, Outbound, Input, Output, Access)
03.Action NoThe Action number for the Actions (Mark, Type of Service, Differentiated Services Code Point, Time to Live & Classify Traffic)
04.ProtocolThe type of protocol the rule will activate to.
05.SourceThe source IP/Subnet, IP range
06Source/Src PortThe specific Source port the traffic goes out
07.DestinationThe Destination IP/Subnet or IP range that rule will get activated.
08.Destination/Dst Port The Destination port number
09.RemarksUser’s input as the caption
10.ActionDisplays the delete icon to delete the particular ule.
Table 5 : The Fields of Firewall Set List

New Firewall Set Rule

To create new Firewall Access Rule, click on the  Button as in Image 9.

Image 10 : New/Edit Firewall Set Rule Page

Settings of Firewall Set Rules

The Firewall Set Rule Settings consist of the Base and the Options sections as shown in Image 10 above. The collapsible section can be expanded to edit by clicking on the  button on the section header.

S/NSectionFieldsDescription
01.Firewall SNAT ( Base)
Rule No.Rule number to identify the Firewall-Access Rule
Note: Rule number cannot be replicated
OperationThe action of the rule. (Inbound, Outbound, Input, Output, Access)
Action NoThe Action number for the Actions below:
01. Mark, Type of Service –
02. Differentiated Services Code Point –
03. Time to Live & Classify Traffic –
02.Firewall SNAT (Options)
ProtocolThe type of protocol the rule will activate to.
SourceThe source IP/Subnet, IP range
Source PortThe specific Source port the traffic goes out
DestinationThe Destination IP/Subnet or IP range that rule will get activated.
Destination (Dst) Port The Destination port number
RemarksUser’s input as the caption
ActionDisplays the delete icon to delete the particular ule.
Table 6 : The Fields of Firewall Set Rules

Firewall – Limit Rule

User can access the Firewall-Limit Rules from the dropdown menu under the tab when editing the Gateway. Users can click on the number in the ‘Rule No.‘ column to edit the rule.

Image 10 : List of Firewall-Limit Rules

The fields of the Firewall-Limit List are explained below:

S/NFieldsDescription
01.Rule No.Rule number to identify the Firewall-Access Rule
Note: Rule number cannot be replicated
02.Max Speed?????
05.SourceThe source IP/Subnet, IP range
06Source PortThe specific Source port the traffic goes out
07.DestinationThe Destination IP/Subnet or IP range that rule will get activated.
08.Destination (Dst) Port The Destination port number
09.RemarksUser’s input as the caption
10.ActionDisplays the delete icon to delete the particular ule.
Table 7 : The Fields of Firewall Limit List

New Firewall Limit Rule

To create new Firewall Limit Rule, click on the Button as in Image 10.

Image 11 : New/Edit Firewall Limit Rule Page

Setting of Firewall Limit Rules

The Firewall Limit Rule Settings consist of the Base and the Options sections as shown in Image 11 above. The collapsible section can be expanded to edit by clicking on the  button on the section header.

S/NSectionsFieldsDescription
Firewall Limit (Base)
01.Rule No.Rule number to identify the Firewall-Access Rule
Note: Rule number cannot be replicated
02.Max Speed?????
03.DirectionThe source IP/Subnet, IP range
Firewall Limit (Options)
Protocol
04Source The specific Source port the traffic goes out
05.DestinationThe Destination IP/Subnet or IP range that rule will get activated.
07.RemarksUser’s input as the caption
Table 8 : Gateway Firewall SNAT UI