Contents
Overview
In computing, a firewall is a network security system that controls the incoming and outgoing network traffic based on an applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is assumed not to be secure and trusted.
Similar to many commercial stateful firewall appliances, RansNet Appliances utilizes a sophisticated ip tables engine built-into Linux kernel, together with some proprietary software to enforce strong perimeter defense for customer networks. The key functions of RansNet Appliance firewalling capabilities are:
- stateful packet inspection
- access control
- IP address translation
The key functions of mbox firewalling capabilities are Stateful Packet Inspection, Access Control & IP Address Translation. With RansNet Appliances, we can configure all of the commonly used firewall rules as listed below:
- Firewall-Access,
- Firewall-Input,
- Firewall-Dnat,
- Firewall-Snat,
- Firewall-Set, and
- Firewall-Limit
There are a few key terminologies we need to understand as part of the configuration.
firewall-input. This is for permit/deny access to mbox services itself (eg. ssh, http)
firewall-access. This is for permit/deny traffic passing through mbox (eg. from inside to outside). There are three important behaviors of firewall-access rules.
- when a packet reaches a firewall interface (either from inside or outside), the stateful firewall will check if the packet belongs to an existing session. if yes, it’s permitted automatically; if no, it will move on to check on the routing table, access rule, address translation rules etc etc.
- any packets not belong to an existing session, neither explicitly permitted by access rules, will be DROPPED
- firewall rules are checked in top-down sequence. once a rule is matched, it will not process further down to other rules. so it’s important to put more frequently used rules on the top for better performance.
firewall-dnat (change destination address of IP packet). This is typically for providing access from Internet to internal hosts. mbox changes packet destination headers (address or port number) as it passes through mbox (typical inbound access). There are two main scenarios:
- Static NAT. One outside public IP to one internal IP translation. Typically for DMZ servers.
- Port forwarding. One outside public IP but a few internal IP translations, but each internal host serves different applications (different protocol or port numbers).
firewall-snat (change source address of IP packets). This typically for providing access from inside/private network to Internet. mbox changes packet source header (address or port number) as it passes through mbox (typically for outbound access). Common implementation is also called Port Access Translation (PAT), which translates all internal hosts IP addresses to a single public IP (WAN interface IP addresses) but differentiate each connections by port numbers.
firewall-set (manipulate packet header fields). This is typically for QoS/traffic-shaping purposes by marking certain headers of the packet for further processing (by QoS rules or policy-based routing).
It is important to note that firewall-dnat/snat/set rules only change packet headers. In order for a packet to pass through RansNet Appliances, it still has to be permitted by access rules. So firewall-dnat/snat/set rules must be used together with access rules.
firewall-limit mbox can limit packets passing through the device at desirable rate to suppress some overloaded connections or prevent volumetric-based DDoS attacks. The simplest way to prevent volumetric-based DDoS attacks is to limit per host/connection bandwidth usage so that the packets coming in or towards a target destination will not be overwhelmed.
Understand Firewall Order of Operation
Diagram below illustrates how a packet is treated when it comes in and out from RansNet Appliances.
NOTE
Default Firewall Rule are already configured when provisioning a Host.
The enabled Default firewall rules are different on Template Host Type (CMG, HSG, HSA, or UA).
Firewall rules can be combined with Global Firewalls on the CLI Configuration but can not be edited on the Host firewall Tab settings.
Firewall – Access Rule
User can access the Firewall-Access Rules from the dropdown menu under the 
tab when editing the Gateway. Users can click on the 
icon to edit the rule.
The fields of the Firewall-Access List are explained below:
| S/N | Fields | Description |
|---|---|---|
| 01. | Rule No. | Rule number to identify the Firewall-Access Rule Note: Rule number cannot be replicated |
| 02. | Operation | The action of the rule. |
| 03. | Direction | The direction of the traffic flow through the interface |
| 04. | Protocol | The type of protocol the rule will activate on. |
| 05. | Source Port | The source port for the specified IP/Network or IP range |
| 06. | Destination Port | The Destination port for the specified IP/Network or IP range |
| 07. | Remarks | User’s input as the caption |
| 08. | Action | Displays the delete icon to delete the particular ule. |
New Firewall Access Rule
To create a new Firewall Access Rule, click on the 
Button as in Image 1.
| S/N | Fields | Description |
|---|---|---|
| 01. | Rule No. | Rule number to identify the Firewall-Access Rule Note: Rule number cannot be replicated |
| 02. | Action | Permit Deny Permit Log Deny Log |
| 03. | Direction | The direction of the traffic flow through the interface Inbound Outbound All |
| 04. | Protocol | The type of protocol the rule will activate on. ?? |
| 05. | Source | The source port for the specified IP/Network or IP range?? IP/Subnet IP Range MAC Address |
| 06. | Destination | The Destination port for the specified or IP range IP/Network IP range |
| 07. | Remarks | User’s input as the caption |
.
Firewall Access Rules Code
Syntax
#firewall-access <Rule No> <Action> <Direction>
The Firewall Access Rule Settings consist of the Base and the Options sections as shown in Image 2 above.
Please see the Table 1 above for the explanations of the setting fields.
Firewall – Input Rule
User can access the Firewall-Input Rule from the dropdown menu under the tab when creating/editing the Gateway. Users can click on the icon to edit the rule.
The fields of the Firewall-Input List are explained below:
| S/N | Fields | Description |
|---|---|---|
| 01. | Rule No. | Rule number to identify the Firewall-Access Rule Note: Rule number cannot be replicated |
| 02. | Operation/Action | The action of the rule. (Permit/ Deny/Permit Log / Deny Log) |
| 03. | Direction/Inbound | The direction of the Traffic flow |
| 04. | Protocol | The type of protocol the rule will activate on. |
| 05. | Source/IP | The source IP/Network, IP range, Source MAC |
| 06. | Source/Src Port | The source port for the specified IP/Network or IP range |
| 07. | Destination | The Destination IP/Subnet or IP range that rule will get activated too |
| 08. | Destination/Dst Port | The Destination port for the specified IP/Network or IP range |
| 09. | Remarks | User’s input as the caption |
| 10. | Action | Displays the delete icon to delete the particular ule. |
New Firewall Input Rule
To create a new Firewall Input interface, click on the 
Button as in Image 3.
Please see the Above Table 2 to add or edit rules accordingly.
Firewall – DNAT Rule
NOTE
When user need to map internal IP to a public IP address, the public IP address(es) have to be configured on the external WAN interface (as secondary IP) otherwise mbox will not respond to upstream ARP requests for the NAT address.
The firewall-access rule also must permit the respective inbound access to the private IPs.
User can access the Firewall-DNAT Rule from the dropdown menu under the 
tab when editing Gateway. User can click on the number in the ‘Rule No.‘ column to edit it.
The fields of the Firewall DNAT List are explained below:
| S/N | Fields | Description |
|---|---|---|
| 01. | Rule No. | Rule number to identify the Firewall-Access Rule Note: Rule number cannot be replicated |
| 02. | Operation | The action of the rule. (Translate, Exempt, Redirect) |
| 03. | Inbound | The direction of the Traffic flow (Inbound / All) |
| 04. | Protocol | The type of protocol the rule will activate on. |
| 05. | Source | The source IP/Subnet, IP range |
| 07. | Destination | The Destination IP/Subnet or IP range that rule will get activated too |
| 08. | Redirect Destination Port | The Redirect Destination port number |
| 09. | TransId Dst | |
| 10. | TransId Dst Port | |
| 11. | Redirect Dst Port | |
| 12. | Remarks | User’s input as the caption |
| 10. | Action | Displays the delete icon to delete the particular ule. |
New Firewall DNAT Interface
To create new Firewall DNAT Rule, click on the 
Button as in Image 5.
Settings of Firewall DNAT Rule
The Firewall DNAT Rule Settings consist of the Base and the Options sections as shown in Image 6 above. The collapsible section can be expanded to edit by clicking on the 
button on the section header.
Please see the Table 3 above for the explanations of the setting fields.
Firewall – SNAT Rule
User can access the Firewall-SNAT Rules from the dropdown menu under the tab when editing the Gateway. Users can click on the number in the ‘Rule No.‘ column to edit the rule.
The fields of the Firewall-SNAT List are explained below:
| S/N | Fields | Description |
|---|---|---|
| 01. | Rule No. | Rule number to identify the Firewall-Access Rule Note: Rule number cannot be replicated |
| 02. | Operation | The action of the rule. (Translate, Exempt, Redirect) |
| 03. | Outbound | The interface of the Traffic flow out |
| 04. | Protocol | The type of protocol the rule will activate on. |
| 05. | Source | The source IP/Subnet, IP range |
| 06 | Source Port | The specific Source port the traffic goes out |
| 07. | Destination | The Destination IP/Subnet or IP range that rule will get activated. |
| 08. | Destination/Dst Port | The Destination port number |
| 09. | Remarks | User’s input as the caption |
| 10. | Action | Displays the delete icon to delete the particular ule. |
New Firewall SNAT Rule
To create new Firewall SNAT interface, click on the Button as in Image 7.
Settings of Firewall SNAT Rule
The Firewall SNAT Rule Settings consist of the Base and the Options sections as shown in Image 8 above. The collapsible section can be expanded to edit by clicking on the button on the section header.
Please see the Table 4 above for the explanations of the setting fields.
Firewall – Set Rule
User can access the Firewall-Set Rules from the dropdown menu under the tab when editing the Gateway. Users can click on the number in the ‘Rule No.‘ column to edit the rule.
The fields of the Firewall-Set List are explained below:
| S/N | Fields | Description |
|---|---|---|
| 01. | Rule No. | Rule number to identify the Firewall-Access Rule Note: Rule number cannot be replicated |
| 02. | Operation | The action of the rule. (Inbound, Outbound, Input, Output, Access) |
| 03. | Action No | The Action number for the Actions (Mark, Type of Service, Differentiated Services Code Point, Time to Live & Classify Traffic) |
| 04. | Protocol | The type of protocol the rule will activate to. |
| 05. | Source | The source IP/Subnet, IP range |
| 06 | Source/Src Port | The specific Source port the traffic goes out |
| 07. | Destination | The Destination IP/Subnet or IP range that rule will get activated. |
| 08. | Destination/Dst Port | The Destination port number |
| 09. | Remarks | User’s input as the caption |
| 10. | Action | Displays the delete icon to delete the particular ule. |
New Firewall Set Rule
To create new Firewall Access Rule, click on the Button as in Image 9.
Settings of Firewall Set Rules
The Firewall Set Rule Settings consist of the Base and the Options sections as shown in Image 10 above. The collapsible section can be expanded to edit by clicking on the button on the section header.
| S/N | Section | Fields | Description |
|---|---|---|---|
| 01. | Firewall SNAT ( Base) | ||
| Rule No. | Rule number to identify the Firewall-Access Rule Note: Rule number cannot be replicated | ||
| Operation | The action of the rule. (Inbound, Outbound, Input, Output, Access) | ||
| Action No | The Action number for the Actions below: 01. Mark, Type of Service – 02. Differentiated Services Code Point – 03. Time to Live & Classify Traffic – | ||
| 02. | Firewall SNAT (Options) | ||
| Protocol | The type of protocol the rule will activate to. | ||
| Source | The source IP/Subnet, IP range | ||
| Source Port | The specific Source port the traffic goes out | ||
| Destination | The Destination IP/Subnet or IP range that rule will get activated. | ||
| Destination (Dst) Port | The Destination port number | ||
| Remarks | User’s input as the caption | ||
| Action | Displays the delete icon to delete the particular ule. |
Firewall – Limit Rule
User can access the Firewall-Limit Rules from the dropdown menu under the tab when editing the Gateway. Users can click on the number in the ‘Rule No.‘ column to edit the rule.
The fields of the Firewall-Limit List are explained below:
| S/N | Fields | Description |
|---|---|---|
| 01. | Rule No. | Rule number to identify the Firewall-Access Rule Note: Rule number cannot be replicated |
| 02. | Max Speed | ????? |
| 05. | Source | The source IP/Subnet, IP range |
| 06 | Source Port | The specific Source port the traffic goes out |
| 07. | Destination | The Destination IP/Subnet or IP range that rule will get activated. |
| 08. | Destination (Dst) Port | The Destination port number |
| 09. | Remarks | User’s input as the caption |
| 10. | Action | Displays the delete icon to delete the particular ule. |
New Firewall Limit Rule
To create new Firewall Limit Rule, click on the Button as in Image 10.
Setting of Firewall Limit Rules
The Firewall Limit Rule Settings consist of the Base and the Options sections as shown in Image 11 above. The collapsible section can be expanded to edit by clicking on the button on the section header.
| S/N | Sections | Fields | Description |
|---|---|---|---|
| Firewall Limit (Base) | |||
| 01. | Rule No. | Rule number to identify the Firewall-Access Rule Note: Rule number cannot be replicated | |
| 02. | Max Speed | ????? | |
| 03. | Direction | The source IP/Subnet, IP range | |
| Firewall Limit (Options) | |||
| Protocol | |||
| 04 | Source | The specific Source port the traffic goes out | |
| 05. | Destination | The Destination IP/Subnet or IP range that rule will get activated. | |
| 07. | Remarks | User’s input as the caption |