Firewall Rule Tutorial

Firewall Rule Tutorial

This description is addressed to advanced users only.
Incorrect editing of the firewall rules may cause security risks!

Editing the firewall rules manually allows greater control of what is allowed through the firewall, but is also much more complicated than using the Security Profile pages.

This tutorial will give you some examples of what can be achieved by editing the firewall rules manually.

Firewall Rules

Firewall rules are parsed line-by-line, top to bottom. If a matching rule is found, the rest of the rules are ignored. Meaning if a matching accept rule has been found, it does not matter if you have a deny rule further down – it is ignored:

dport >= 2000 && dport <= 2010 accept 
dport == 2003 deny

Port 2003 will also be accepted, as the first rule matches 2003, and accepts it. The deny rule is never reached! For the desired functionality, the rules should be entered in reverse order:

dport == 2003 deny 
dport >= 2000 && dport <= 2010 accept

If there is no rule that allows a packet through the firewall, it is stopped by the default “deny all” rule.

The settings on the security profile page is translated into firewall rules that you can see on the firewall rules page. Using “Additional rules” on the security profile page you can add your own hand-written rules to the automatically generated ones.

Block Diagram

It is very difficult to get a visual picture of what is going on inside the firewall. Such pictures easily become either too simplified or too complex. Here you see one attempt:

A packet on its way through the firewall will be checked against several rulesets. Usually the incoming super, and incoming user of the receiving interface, and the outgoing user and outgoing super of the transmitting interface. There can also be flows that bypass the user rules, but apply stateful inspection and modifications to the packets.

To get a packet through all the way, we need to make sure it is allowed to pass all the rulesets, and can be routed correctly by the router between the interfaces.

When entering rules manually, follow the way of the first packet through the rulesets to make sure you enter all the needed rules in their correct places.

Examples

Modifying a standard rule.

In example 1 you can see how the checkboxes on the Security Profile pages create firewall rules, and how you can modify them.

Opening an incoming port

In example 2 you can see how to open incoming ports manually, thus allowing data coming from the Internet to get through the firewall.

Opening an outgoing port

In example 3 you can see how to open outgoing ports manually, thus allowing your PCs to reach the Internet through the firewall.

“Hijacking" a site

In example 4 you can see how to redirect traffic between interfaces.

Firewall Rule Syntax

The firewall rule syntax lists all available rules, with some more examples, and a walk-through of the default “Hi” rules.

Choosing the correct Modify

The modify action has several arguments. Choosing the correct ones might seem difficult, but there is some simple rule-of-thumbs making the task simpler.

modify static

This action creates two flows that are stateful inspected and modified. The modification is static: always the same for all data streams. You enter manually what fields of the packet headers to modify. modify static is mostly used for port redirections – see example 2 for details.

modify dynamic

This action also creates two flows that are stateful inspected and modified. But the modification is dynamic: it is different for different data streams. The port number chosen is not hard coded but taken from a pool of available ports. Even though you specify a pool number, currently there is only one pool available: pool 0. Arguments source and destination are similar to sport and dport but they change the IP address too, to the global IP address. modify dynamic is mostly used for allowing applications from the inside to get out through the firewall – see example 3 for details.

Show pagesource Old revisions