Rules

On the Network Protection > Firewall > Rules tab you can manage the firewall rule set. Opening the tab, by default, user-created firewall rules are displayed only. Using the drop-down list on top of the list, you can choose to display automatic firewall rules instead, or both types of rules combined. Automatic firewall rules are displayed with a distinct background color. Automatic firewall rules are generated by Sophos UTM based on a selected Automatic firewall rules checkbox in one of your configurations, e.g., when creating IPsec or SSL connections.

All newly defined firewall rules are disabled by default once added to the rules table. Automatic firewall rules and enabled user-created firewall rules are applied in the given order until the first rule matches. Automatic firewall rules are always on top of the list. The processing order of the user-created firewall rules is determined by the position number, so if you change the order of the rules by their position numbers, the processing order changes as well.

Caution – Once a firewall rule matched, all other rules are ignored. For that reason, the sequence of rules is very important. Never place a rule such as Any (Source)Any (Service)Any (Destination)Allow (Action) at the top of the rule table, as this will allow each packet to traverse the gateway in both directions, ignoring all other rules that may follow.

To create a firewall rule, proceed as follows:

  1. On the Rules tab, click New Rule.

    The Add Rule dialog box opens.

  2. Make the following settings:

    Group: The Group option is useful to group rules logically. With the drop-down list on top of the list you can filter the rules by their group. Grouping is only used for display purposes, it does not affect rule matching. To create a new group select the << New group >> entry and enter a descriptive name in the Name field.

    Position: The position that defines the priority of the rule. Lower numbers have higher priority. Rules are matched in ascending order. Once a rule has matched, rules with a higher number will not be evaluated anymore.

    Sources: Add or select source network definitions, describing from which host(s) or networks the packets are originating.

    Tip – How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.

    Services: Add or select service definitions, describing the protocol(s) and, in case of TCPClosed Transmission Control Protocol or UDPClosed User Datagram Protocol, the source and destination port(s) of the packets.

    Destinations: Add or select destination network definitions, describing the target host(s) or network(s) of the packets.

    Note – When you select more than one source, service and/or destination, the rule applies to every possible source-service-destination combination. A rule with e.g. two sources, two services and two destinations equates to eight single rules, from each source to each destination using both services.

    Action: The action that describes what to do with traffic that matches the rule. The following actions can be selected:

    • Allow: The connection is allowed and traffic is forwarded.
    • Drop: Packets matching a rule with this action will be silently dropped.
    • Reject: Connection requests matching rules with this action will be actively rejected. The sender will be informed via an ICMPClosed Internet Control Message Protocol message.

    Comment (optional): Add a description or other information.

  3. Optionally, make the following advanced settings:

    Time period: By default, no time period definition is selected, meaning that the rule is always valid. If you select a time period definition, the rule will only be valid at the time specified by the time period definition. For more information, see Time Period Definitions.

    Log traffic: If you select this option, logging is enabled and packets matching the rule are logged in the firewall log.

    Source MAC addresses: Select a MAC address list definition, describing from which MAC addresses the packets are originating. If selected, packets only match the rule if their source MAC address is listed in this definition. Note that you cannot use a MAC address list in combination with the source Any. MAC address list definitions are defined on the Definitions & Users > Network Definitions > MAC Address Definitions tab.

  4. Click Save.

    The new rule appears on the Rules list.

  5. Enable the firewall rule.

    The new rule is disabled by default (toggle switch is gray). Click the toggle switch to enable the rule.

    The rule is now enabled (toggle switch is green).

To either edit or delete a rule, click the corresponding buttons.

Open Live Log: This will open a pop-up window containing a real-time log of filtered packets, whose regularly updating display shows recent network activity. The background color indicates which action has been applied:

  • Red: The packet was dropped.
  • Yellow: The packet was rejected.
  • Green: The packet was allowed.
  • Gray: The action could not be determined.

The live log also contains information about which firewall rule caused a packet to be rejected. Such information is essential for rule debugging. Using the search function, you can filter the firewall log for specific entries. The search function even allows to negate expressions by typing a dash in front of the expression, e.g. -WebAdmin which will successively hide all lines containing this expression.

Selecting the Autoscroll checkbox will automatically scroll down the window's scrollbar to always show the most recent results.

Below are some basic hints for configuring the firewall:

  • Dropped Broadcasts: By default, all broadcasts are dropped, which in addition will not be logged (for more information, see chapter Advanced). This is useful for networks with many computers utilizing NetBIOS (for example, Microsoft Windows operating systems), because broadcasts will rapidly clutter up your firewall log file. To define a broadcast drop rule manually, group the definitions of the broadcast addresses of all attached networks, add another "global_broadcast" definition of 255.255.255.255/255.255.255.255, then add a rule to drop all traffic to these addresses on top of your firewall configuration. On broadcast-heavy networks, this also has the benefit of increasing the system performance.
  • Rejecting IDENT Traffic: If you do not want to use the IDENTClosed Standard protocol that helps identify the user of a particular TCP connection. reverse proxy, you can actively reject traffic to port 113 (IDENT) of your internal networks. This may prevent longer timeouts on services that use IDENT, such as FTP, IRC, and SMTP.

    Note – If you use masquerading, IDENT requests for masqueraded networks will arrive on the masquerading interface.

  • Since NAT will change the addresses of network packets, it has implications on the firewall functionality.

    • DNAT is applied before the firewall. This means that the firewall will "see" the already translated packets. You must take this into account when adding rules for DNAT related services.
    • SNAT and Masquerading is applied after the firewall. This means that the firewall still "sees" the untranslated packets with the original source addresses.

The control panels in the table header can be used to filter firewall rules for specific criteria to rearrange rules for better readability. If you have defined groups you can select a group from the drop-down menu and thus see all rules that belong to this group. Using the search field you can look for a keyword or just a string to see the rules related to it. The search comprises a rule's source, destination, service, group name, and comment.