Application Support Problems

Some applications and protocols you currently use may require some sort of support to be able to work seamlessly behind the firewall. If you have trouble making your applications work behind the firewall it is likely that you have to do some change of the configuration in the security profile (High, Low or AltConf) you are using.

The Internet Gate firewall works like a barrier to protect your computer or private network. Generally, applications that are initiated from the inside LAN are considered to be less “dangerous” than application attempts that are reaching the Internet Gate from the outside (WAN). Consequently, the security profile High (and AltConf) allows a few applications (“surf”, e-mail) to be used from the inside going out, but none at all from the outside. The profile Low is a bit less strict as it allows all applications (using TCP and UDP) started from the inside but still none from the outside. Thus, despite its name, Low is still a fairly safe profile.

These are the quite tight settings by factory, and they may be changed as the user opens up “holes” in the firewall, typically port numbers that allow applications to be initiated from the inside, and possibly also servers on the LAN to be accessed from the outside. It is good policy to stick to the more strict High or AltConf profiles, possibly adapting AltConf profile to one's needs. One can keep the Low as a more open profile that can be switched to temporarily when troubleshooting or when trying to run an application that does not work under the High or AltConf restrictions.

Switching between security profiles is quick and easy, using the ALT frontpanel key. See also here about the security profiles.

Opening up the firewall should be done with care.

If you have problems running an application or service behind the firewall:

• Check if the Internet Gate supports the application or service that you try to run through the firewall. Click here for a list of supported applications. Alternatively, simply browse to the security profile page and check if there is a checkbox that corresponds to the application.

• If not in the list of supported applications (nor suitable checkbox/fields found on the security profile page), and the application is started from the inside LAN, there may just be a question of one or more TCP/UDP port numbers that need to be opened up. If so, you could try the following steps:
  1. Switch to security profile Low that allows all outgoing traffic
  2. Does the application start to work? If not, it is not just a question of opening some ports from the inside. Consult the application documentation and web resources, or the product support.
  3. If it works in Low, you probably want to know why, so you can adjust the settings of the firewall profile:
  4. Switch back to the profile you really want to use (High or AltConf).
  5. Use the firewall log, set it in the mode Show rejected packets. This is done on the Log configuration page.
  6. Try the application again, and soon after, browse to the Firewall log page.
  7. Look for packets that are red-marked DENY and that seem to relate to your application's attempt. Read the port number in the Dest. column of the log, and also the protocol name in the Proto/Type column (TCP or UDP).
  8. Go to the security profile page for the profile you want to use (High or AltConf) and write the port number in the Other TCP ports (or Other UDP ports) field under Applications from inside.
  9. Try the application again. If it still does not work, have a new look again at the firewall log. Some applications may need several ports to be opened, so more ports may have to be added to the Other TCP(UDP) ports list (use comma to separate). In fact, some applications may need a whole range of ports. If so, the application's documentation should be consulted. (A port range is written like “XXX-YYY”.)

• Applications, e.g. servers, that run on the LAN and should be accessible from the outside need other settings. Since even the Low profile shut these ones out it will probably not work by switching to that profile.
  1. If not in the list of supported applications, consult the application's documentation, sometimes there is information about necessary measures to be taken when the server is behind a firewall.
  2. One could also try to use the Firewall log, in the Show rejected packets mode as described above. An attempt from any remote client to contact the server would probably show up as DENY entries in the log. Take notice of the protocol and (destination) port numbers in those entries, and try to verify that the entries really are resulting from requests to the desired application.
  3. If, by one way or another, the obstructed port numbers now are known, one can add a port redirection in the security profile settings to let those packets through the firewall. This is described here. There one must also enter the local IP address of the server that sits on the inside LAN.

It is potentially more “dangerous” to enter port redirections (from outside-to-inside) than just opening up ports/protocols from the inside.

For some applications that don't have a built-in support in the Internet Gate, none of the above measures might be sufficient. In these cases, an IP redirection or an Additional rule can be considered. This is generally for the more experienced user.

If you have used the firewall log for experimenting as described above, please remember to shut it off again on the log configuration page.