Firewall rule tutorial example 1:

Modifying a standard rule

:!: This description is addressed to advanced users only.
Incorrect editing of the firewall rules may cause security risks!

A good understanding of how firewall rules work can be achieved by marking checkboxes on the Security Profile pages, and examining what new rules they add to the firewall rules.

Say you have a telnet server (192.168.0.10) that you want only one remote PC (11.50.17.69) on the Internet be able to access. Using the Security Profile page you can enable access of the Telnet server, but that allows all Internet PCs to access your server! Using the Security Profile page you cannot control firewall behaviour more precisely – but by editing the rules manually you can!

  1. On the Security Profile: High page, under “Allowed applications” mark the Telnet server checkbox, and enter 192.168.0.10 into the IP Address field. Click Apply.
  2. Now if you open the firewall rules page and take a look at the Incoming user rules of your WAN interface (the interface that is “used as: outside”), you will see that an extra rule has been added:

(dport == sip'5060') && (proto == udp) accept
proto == udp && dport == dhcpc'68' accept
(dport == telnet'23') && proto == tcp modify static daddr 192.168.0.10

That extra line means: “if the incoming packet tries to access port 23, and is a TCP protocol packet, then forward it to PC 192.168.0.10”. TCP port 23 is the one used by Telnet.

That rule allows all port 23 traffic through.

Now it is fairly simple to modify that rule by adding one more restriction. We would like a rule like this:

(saddr == 11.50.17.69) && (dport == telnet'23') && proto == tcp modify static daddr 192.168.0.10

The modified rule would mean: “if the incoming packet is coming from 11.50.17.69 and tries to access port 23, and is a TCP protocol packet, then forward it to PC 192.168.0.10”.

To insert the rule manually:

  1. on the firewall rules page mark the telnet rule row and copy it using Ctrl+C
  2. open the Security Profile: High page
  3. remove the Telnet checkbox from “Allowed Applications”
  4. paste (Ctrl+V) the copied row into the “Firewall rule” field of “Additional rules”
  5. edit the pasted rule by typing ”(saddr == 11.50.17.69) &&” in front of it
  6. select “Insert at position”: your WAN interface, Incoming user, post
  7. click Apply
LINE Incoming user post (saddr == 11.50.17.69) && (dport == telnet'23') && proto == tcp modify static daddr 192.168.0.10

If you open the firewall rules page again you can see that your manually entered rule has now been inserted into the firewall rules used, at the same position as the automatically generated rule was.

:!: You must remove the original autogenerated telnet rule, as “Insert at position: post” would place the manual rule after the autogenerated one, and would thus never be reached (as the autogenerated would match first, and first found matching rule stops further processing).

The modified rule will now only allow telnet traffic coming from 11.50.17.69 to pass through the firewall – it will not be true for any other incoming packets.

firewall/example_1.txt · Last modified: 2010/11/04 12:46 by tibor
CC Attribution-Noncommercial-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0