Firewall
From Wiki@Commgate
Contents |
1 to 1 NAT
Overview
| 1-to-1 NAT Firewall | Information |
|---|---|
| Description | Configuration tool for 1-to-1 NAT. |
| Package Name | cc-firewall-dmz |
| Configuration Page | Network > Firewall > 1-to-1 NAT |
1-to-1 NAT maps a real Internet IP to an IP on your local area network (LAN).
If you did not select this module to be included during the installation process, you must first install the module.
Back to top
Configuration
You can map 1-to-1 NAT IPs in one of two ways:
- With no firewall at all
- With selective ports open
1-to-1 NAT - No Firewall
Some protocols can be finicky behind firewalls. In this case you want to configure 1-to-1 NAT with no firewall (make sure you firewall/secure the target LAN system some other way!). In the screenshot below:
- 216.138.245.23 is mapped to a LAN machine at 192.168.2.2
- no firewall is enabled.
1-to-1 NAT - Selective Ports Open
In the screenshot below:
- 216.138.245.23 is mapped to an LAN machine at 192.168.2.2
- only port 22 (SSH) and port 80 (web) are accessible
1-to-1 NAT - With MultiWAN
You can also utilize 1-to-1 NAT with a MultiWAN configuration. The configuration remains mostly the same with the addition of an Interface drop-down box containing a list of configured MultiWAN network interfaces.
Each 1-to-1 NAT rule must be assigned to an external MultiWAN interface as shown by example below:
Advanced
Overview
| Advanced Firewall | Information |
|---|---|
| Description | Configuration tool advanced firewall rules. |
| Package Name | cc-firewall-advanced |
| Configuration Page | Network > Firewall > Advanced |
Configuration
The advanced firewall tool can be used to create special firewall rules. For instance, you can use this tool to allow connections to the web-based administration from the Internet -- but only from a particular IP address. You can find some examples in the advanced firewall tips and tricks documentation.
An invalid advanced rule will cause the firewall to go into a lock-down mode -- all other firewall rules will not be active in this mode.
Links
DMZ
Overview
| DMZ Firewall | Information |
|---|---|
| Description | Configuration tool for DMZ-based firewalls. |
| Package Name | cc-firewall-dmz |
| Configuration Page | Network > Firewall > DMZ |
The DMZ solution is used to protect a separate network of public IP addresses. Typically, a third network card is used exclusively for the DMZ network.
- If you are configuring a few extra public IPs (not a whole network), then go to the 1 to 1 NAT section of the User Guide.
- If you are configuring a separate private network (192.168.x.x or 10.x.x.x), then investigate Hot LANs in the IP Settings section of the User Guide.
Configuration
Network Configuration
Before you can use the DMZ firewall configuration, you need to configure one of your network cards with the DMZ role. In our example, we used the network settings tool to configure a third network card (eth2) with the following:
- Role: DMZ
- IP Address: 216.138.245.17
- Netmask: 255.255.255.240
- Network: 216.138.245.16/28
All the systems connected to this third network card can then be configured with an IP address in the 216.138.245.18 to 216.138.245.30 range.
Back to top
Incoming Connections
By default, all inbound connections from the Internet to systems on the DMZ are blocked (with the exception of the ping protocol). You can permit connections to systems on the DMZ by allowing:
- all ports and protocols to a single public IP
- all ports and protocols to the whole network of public IPs
- a specific port and protocol to a single public IP
In the screenshot below, both 216.138.245.27 and 216.138.245.28 are not firewalled at all, while 216.138.245.26 can only be accessed via TCP port 2000.
Pinhole Connections (DMZ-to-LAN)
In some situations, you may want to allow particular network traffic from your DMZ to your LAN -- a pinhole rule. In our example, we have a document management system running on port 2401 on the LAN (at IP address 192.168.2.2). We want to allow a web server in our DMZ to access this document management system and we create a pinhole rule to do it (see screenshot).
Links
Group Manager
Overview
| Firewall Groups | Information |
|---|---|
| Description | A tool to group together firewall rules. |
| Package Name | cc-firewall |
| Configuration Page | Network > Firewall > Group Manager |
The Group Manager makes it easy to categorize and manage related Firewall rules. All rules not assigned to a group will be listed at the top of the page. You can change the rules Nickname or assign it to a new or existing group by clicking on Edit.
Back to top
Configuration
There are three sections to the Group Manager page.
- Individual rule listing (rules that are not assigned to a group)
- Group listing
- Group manager, useful for enabling/disabling or deleting an entire group
Assigning Rules to Groups
To assign a rule to a group, click on the rule's Edit button. This will bring up the rule editor dialog which looks like the following screen-shot:
Firewall Group Manager
The top of the edit dialog shows the fields of the firewall rule; the protocol, address, port, and parameter (optional, contains extended information). This is displayed to help you identify the rule. Below this information, you can enter a new or edit an existing Nickname to help identify the rule's purpose. To the right you may assign this rule to an existing group using the drop-down, or add it to a new group by entering the desired name in the input box below. Click on confirm to save your changes.
Back to top
Removing a Rule From a Group
To remove a rule from a group, click on the rule's Edit button. You will see the group name in the drop-down box. Change this to "Remove from group" and then click on Confirm. If there are no more rules in any given group, the group will no longer show up in the group drop-down list.
Back to top
Group Management
At the very bottom of the Group Manager page you can enable/disable or delete a group. Simply click on the appropriate button.
Deleting a group will delete all member firewall rules as well. If you want to remove just the group, remove each rule from the group manually.
Incoming
Overview
| Firewall Incoming | Information |
|---|---|
| Description | Tool for configuring incoming connections on the firewall. |
| Package Name | cc-firewall |
| Configuration Page | Network > Firewall > Incoming |
Configuration
Allow Incoming Connections
If you want to run a server on your CommGate Server, you must open the appropriate port on the firewall to allow access to users on the internet. For instance, if you are running the web server and secure web server, make sure port 80 and 443 are open.
Unlike some other firewalls you do not need to open a port on the incoming page if you're forwarding the the port to an internal server on your LAN or on your DMZ.
You can also open up ports to allow for remote management of your CommGate Server. For example, you can open up port 22 to allow for SSH access and port 81 to give access to WebAdmin.
Select Firewall Incoming in the web-based administration tool. There are three ways to add an incoming firewall rule:
- select a standard service in the Standard Services drop down
- input a single port number in the Port Number box.
- input multiple consecutive ports in a port range in the Port Range box.
Block Internet Hosts
If you want to block a remote site from accessing your CommGate Server, add the IP address or network to the block list. This is typically used to unwanted connections from . If you want to block web sites from your users, the Content Filter is a more effective solution.
Back to top
Outgoing
Overview
| Firewall Outgoing | Information |
|---|---|
| Description | Tool for blocking or allowing (depending on mode) outgoing connections on your network. |
| Package Name | cc-firewall |
| Configuration Page | Network > Firewall > Outgoing |
Configuration
From the Firewall Outgoing page, you can block or allow certain kinds of traffic from leaving your network depending on the mode/policy.
It is now possible to reverse the meaning of rules created from the Firewall Outgoing page. The language used in the following documentation has been altered to reflect this change. Users of older CommGate versions can only allow all outgoing traffic by default and then selectively block certain hosts and services. See Choose an Outgoing Mode below for more details.
This page is useful for blocking/allowing instant messenging, chat, peer-to-peer music dowloads, and more.
You have two ways to block/allow traffic:
- by destination port/service
- by destination IP address/domain
Note: If you want to block peer-to-peer file sharing programs like Kazaa and Limewire, you will also want to check the Firewall - Peer-to-Peer section of the user guide.
Back to top
Choose an Outgoing Mode
You can toggle the outgoing traffic mode or policy. All previous versions of CommGate allowed all outgoing traffic by default, only providing the administrator with the ability to specifically block certain hosts or services. With the Versions above CommGate Professional Server, it is possible to block all outgoing traffic by default and only open or allow certain destination domains, ports/services to be contacted.
Note: These are the two Outgoing Traffic policies available as of CommGate CES 2009
Back to top
Outgoing Traffic - By Port/Service
Destination Ports prevents/allows a connection on a particular port/service. For instance, adding port 80 (web) disables/enables web-surfing for your entire local network.
Outgoing Traffic - By Host/Destination
Destination Domains allows you to block/allow certain networks and sites. For instance, if your Outgoing Mode is set to allow all outgoing traffic, blocking windowsupdate.microsoft.com blocks Windows from connecting to the windows update site. Keep in mind, some sites use multiple servers to handle network traffic and are not easily blocked.
If you block destinations with the firewall bear in mind that users of the proxy may not be blocked. If you require proxy users to be blocked, your best option is to block the destinations using the DansGuardian Content Filter Module.
As of CommGate CES 2009, the Block/Allow by Destination form has changed slightly. The standard services drop-down box has been removed and merged into the Destination Ports form illustrated above.
Peer-to-Peer
Overview
| Peer-to-Peer | Information |
|---|---|
| Description | A tool to block peer-to-peer. |
| Package Name | cc-firewall-p2p |
| Configuration Page | Network > Firewall > Peer-to-Peer |
Configuration
A tool to block peer-to-peer traffic. The web-based interface tool is only included in the Office and Professional Editions.
The following applications can be blocked and/or throttled:
- eDonkey, eMule, Kademlia
- KaZaA, FastTrack
- Gnutella
- Direct Connect
- BitTorrent, extended BT
- AppleJuice
- WinMX
- SoulSeek
- Ares, AresLite
For some protocols, the peer-to-peer blocker will only halt the initial connection to other systems. In other words, a system that is already connected to a peer-to-peer network will not get blocked. If you are sanity checking this tool, please disconnect the peer-to-peer client.
Links
Port Forwarding
Overview
| Port Forwarding | Information | ||
|---|---|---|---|
| Description | Package Name | cc-firewall | |
| Configuration Page | Network > Firewall > Port Forwarding |
Configuration
If you run servers behind your CommGate Servers, you can use the Port Forwarding page to forward ports to a system on your local area network. In the example below, two port forwarding rules are configured:
- A web server (port 80) is running on the LAN at 192.168.4.10
- SSH (port 22) is also running on 192.168.4.10. Since port 22 is already used on the gateway, we specify an alternate port (2222). We then configure our SSH client to use port 2222 to connect directly to 192.168.4.10 from the Internet.
Troubleshooting
In order for port forwarding to work properly. the target system on your local network must have the default gateway set to ComGate Servers. In the adjacent screenshot, the configuration for a Windows system is shown. The default gateway in this case is 192.168.1.1 (the IP address of the CommGate Servers).
