On the Network Protection > Firewall > Rules tab you can manage the firewall rule set. Opening the tab, by default, user-created firewall rules are displayed only. Using the drop-down list on top of the list, you can choose to display automatic firewall rules instead, or both types of rules combined. Automatic firewall rules are displayed with a distinct background color. Automatic firewall rules are generated by Sophos UTM based on a selected Automatic firewall rules checkbox in one of your configurations, e.g., when creating IPsec or SSL connections.
All newly defined firewall rules are disabled by default once added to the rules table. Automatic firewall rules and enabled user-created firewall rules are applied in the given order until the first rule matches. Automatic firewall rules are always on top of the list. The processing order of the user-created firewall rules is determined by the position number, so if you change the order of the rules by their position numbers, the processing order changes as well.
Caution – Once a firewall rule matched, all other rules are ignored. For that reason, the sequence of rules is very important. Never place a rule such as Any (Source) – Any (Service) – Any (Destination) – Allow (Action) at the top of the rule table, as this will allow each packet to traverse the gateway in both directions, ignoring all other rules that may follow.
To create a firewall rule, proceed as follows:
On the Rules tab, click New Rule.
The Add Rule dialog box opens.
Make the following settings:
Group: The Group option is useful to group rules logically. With the drop-down list on top of the list you can filter the rules by their group. Grouping is only used for display purposes, it does not affect rule matching. To create a new group select the << New group >> entry and enter a descriptive name in the Name field.
Position: The position number, defining the priority of the rule. Lower numbers have higher priority. Rules are matched in ascending order. Once a rule has matched, rules with a higher number will not be evaluated anymore.
Sources: Add or select source network definitions, describing from which host(s) or networks the packets are originating.
Tip – How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
Services: Add or select service definitions, describing the protocol(s) and, in case of TCP or UDP, the source and destination port(s) of the packets.
Destinations: Add or select destination network definitions, describing the target host(s) or network(s) of the packets.
Note – When you select more than one source, service and/or destination, the rule applies to every possible source-service-destination combination. A rule with e.g. two sources, two services and two destinations equates to eight single rules, from each source to each destination using both services.
Action: The action that describes what to do with traffic that matches the rule. The following actions can be selected:
Comment (optional): Add a description or other information.
Optionally, make the following advanced settings:
Time period: By default, no time period definition is selected, meaning that the rule is always valid. If you select a time period definition, the rule will only be valid at the time specified by the time period definition. For more information, see Time Period Definitions.
Log traffic: If you select this option, logging is enabled and packets matching the rule are logged in the firewall log.
Source MAC addresses: Select a MAC address list definition, describing from which MAC addresses the packets are originating. If selected, packets only match the rule if their source MAC address is listed in this definition. Note that you cannot use a MAC address list in combination with the source Any. MAC address list definitions are defined on the Definitions & Users > Network Definitions > MAC Address Definitions tab.
The new rule appears on the Rules list.
Enable the firewall rule.The new rule is disabled by default (toggle switch is gray). Click the toggle switch to enable the rule.
The rule is now enabled (toggle switch is green).
To either edit or delete a rule, click the corresponding buttons.
Open Live Log: This will open a pop-up window containing a real-time log of filtered packets, whose regularly updating display shows recent network activity. The background color indicates which action has been applied:
The live log also contains information about which firewall rule caused a packet to be rejected. Such information is essential for rule debugging. Using the search function, you can filter the firewall log for specific entries. The search function even allows to negate expressions by typing a dash in front of the expression, e.g. -WebAdmin which will successively hide all lines containing this expression.
Selecting the Autoscroll checkbox will automatically scroll down the window's scrollbar to always show the most recent results.
Below are some basic hints for configuring the firewall:
Rejecting IDENT Traffic: If you do not want to use the IDENT reverse proxy, you can actively reject traffic to port 113 (IDENT) of your internal networks. This may prevent longer timeouts on services that use IDENT, such as FTP, IRC, and SMTP.
Note – If you use masquerading, IDENT requests for masqueraded networks will arrive on the masquerading interface.
The control panels in the table header can be used to filter firewall rules for specific criteria to rearrange rules for better readability. If you have defined groups you can select a group from the drop-down menu and thus see all rules that belong to this group. Using the search field you can look for a keyword or just a string to see the rules related to it. The search comprises a rule's source, destination, service, group name, and comment.
|© 2019 Sophos Limited
|Sophos UTM 9.600