Quick links:
Product Overview
Installation
Settings and Administration
ADSL
SIP Support
Telephone ports
Network
Firewall
Wireless
VPN
Misc
Licenses
Troubleshooting
Differences
This shows you the differences between two versions of the page.
|
firewall:tutorial [2010/11/04 11:39] tibor created |
firewall:tutorial [2010/11/04 11:47] (current) tibor |
||
|---|---|---|---|
| Line 33: | Line 33: | ||
| When entering rules manually, follow the way of the first packet through the rulesets to make sure you enter all the needed rules in their correct places. | When entering rules manually, follow the way of the first packet through the rulesets to make sure you enter all the needed rules in their correct places. | ||
| - | ==== Example 1: Modifying a standard rule. ==== | + | ===== Examples ===== |
| - | In example 1 you can see how the checkboxes on the Security Profile pages create firewall rules, and how you can modify them. | + | ==== Modifying a standard rule. ==== |
| + | In [[example 1]] you can see how the checkboxes on the Security Profile pages create firewall rules, and how you can modify them. | ||
| - | Example 2: opening an incoming port | + | ==== Opening an incoming port ==== |
| + | In [[example 2]] you can see how to open incoming ports manually, thus allowing data coming from the Internet to get through the firewall. | ||
| - | In this example you can see how to open incoming ports manually, thus allowing data coming from the Internet to get through the firewall. | + | ==== Opening an outgoing port ==== |
| + | In [[example 3]] you can see how to open outgoing ports manually, thus allowing your PCs to reach the Internet through the firewall. | ||
| - | Example 3: opening an outgoing port | + | ==== “Hijacking" a site ==== |
| + | In [[example 4]] you can see how to redirect traffic between interfaces. | ||
| - | In this example you can see how to open outgoing ports manually, thus allowing your PCs to reach the Internet through the firewall. | + | ===== Firewall Rule Syntax ===== |
| + | The firewall rule [[syntax]] lists all available rules, with some more examples, and a walk-through of the default “Hi" rules. | ||
| - | Example 4: “hijacking" a site | + | ===== Choosing the correct Modify ===== |
| + | The **modify** action has several arguments. Choosing the correct ones might seem difficult, but there is some simple rule-of-thumbs making the task simpler. | ||
| - | In this example you can see how to redirect traffic between interfaces. | + | ==== modify static ==== |
| + | This action creates two flows that are stateful inspected and modified. The modification is **static**: always the same for all data streams. You enter manually what fields of the packet headers to modify. **modify static** is mostly used for port redirections – see [[example 2]] for details. | ||
| - | Firewall Rule Syntax | + | ==== modify dynamic ==== |
| - | + | This action also creates two flows that are stateful inspected and modified. But the modification is **dynamic**: it is different for different data streams. The port number chosen is not hard coded but taken from a pool of available ports. Even though you specify a pool number, currently there is only one pool available: pool 0. Arguments **source** and **destination** are similar to **sport** and **dport** but they change the IP address too, to the global IP address. **modify dynamic** is mostly used for allowing applications from the inside to get out through the firewall – see [[example 3]] for details. | |
| - | The firewall rule syntax lists all available rules, with some more examples, and a walk-through of the default “Hi" rules. | + | |
| - | + | ||
| - | Choosing the correct Modify | + | |
| - | + | ||
| - | The modify action have several arguments. Choosing the correct ones might seem difficult, but there is some simple rule-of-thumbs making the task simpler. | + | |
| - | + | ||
| - | modify static | + | |
| - | + | ||
| - | This action creates two flows that are stateful inspected and modified. The modification is static : always the same for all data streams. You enter manually what fields of the packet headers to modify. modify static is mostly used for port redirections – see example 2 for details. | + | |
| - | + | ||
| - | modify dynamic | + | |
| - | + | ||
| - | This action also creates two flows that are stateful inspected and modified. But the modification is dynamic : it is different for different data streams. The port number chosen is not hard coded but taken from a pool of available ports. Even though you specify a pool number, currently there is only one pool available: pool 0. Arguments source and destination are similar to sport and dport but they change the IP address too, to the global IP address. modify dynamic is mostly used for allowing applications from the inside to get out through the firewall – see example 3 for details. | + | |
| - | + | ||
| - | modify stateless | + | |
| + | ==== modify stateless ==== | ||
| This is a special case of the modify action that creates no flows, no stateful inspection, merely modifies packet header fields. It is very seldom used, only in special cases. | This is a special case of the modify action that creates no flows, no stateful inspection, merely modifies packet header fields. It is very seldom used, only in special cases. | ||
| - | inspect | + | ==== inspect ==== |
| Another special case: Creates two flows that are stateful inspected, but performs no modifications on the packets. It is very seldom used, only in special cases. | Another special case: Creates two flows that are stateful inspected, but performs no modifications on the packets. It is very seldom used, only in special cases. | ||
| - | modify in outside user rules | + | ==== modify in outside user rules ==== |
| - | + | In the vast majority of cases you should enter your **modify** rule in one of the **user rules** of the **outside interface**. | |
| - | In the vast majority of cases you should enter your modify rule in one of the user rules of the outside interface . | + | |
