Endian Firewall

In this page you find:Common configuration itemsPort forwarding / NATPort forwarding / Destination NATSource NATIncoming routed trafficOutgoing trafficCurrent rulesOutgoing Firewall SettingsInter-Zone trafficCurrent rulesInter-Zone Firewall SettingsVPN trafficCurrent rulesVPN Firewall settingsSystem accessFirewall DiagramsThis section allows to set up rules that specify if and how thenetwork traffic flows through the Endian Hotspot Appliance. The firewall onthe Endian Hotspot Appliance is divided in different modules, each monitoringand allowing or blocking one specific type of traffic. The modulesavailable are the following:Port forwarding / NAT - port forwarding and abbr:NAT (Network Address Translation).Outgoing traffic - outgoing traffic, i.e., towards the RED interfaceInter-Zone traffic - traffic between zones.VPN traffic - traffic generated by VPN users.System access - grant access to the Endian Hotspot Appliance host itself.Firewall diagrams - pictures that show which traffic is interceptedby each type of firewall.Within each of the sub-menus, in which all the corresponding existingrules are listed, any customised rules can be added, for any type ofservice or every port/protocol. The various parts of which thefirewall is composed refer to different types of traffic (e.g.,OpenVPN governs the traffic from/to the VPN users, inter-zone trafficthe one flowing from zone to zone) and are designed to avoid anyoverlapping or even contrasting rules. In other words, there is no wayto write two rules in two different firewall modules whose combinedeffect causes an unwanted block or access of packets.The choice to separate the networks controlled by the Endian Hotspot Applianceallows also for an easier management of the firewall, whoseconfiguration may become very complex. Indeed, each of the modules canbe considered as an independent firewall, and their combined effectcovers all possible packet flows through the Endian Hotspot Appliance.Additionally, for any of the modules listed above, one or more rulemay exist, that can neither be disabled nor removed. These are theso-called Rules of system services (or System rules) whose purposeis to allow the correct interoperability of the services running onthe Endian Hotspot Appliance with the Endian Network infrastructure.The rules that are defined here will be transformed intoiptables commands, the standard Linux firewall tool sincethe 2.4 kernel, and therefore organised into tables, chains, andrules. For a more in-depth description of the various elements thatcompose a firewall rule, or even to learn how to fine-tune and tomanage a complex firewall, it is suggested to read either theiptables(8) manual page on any Linux box, or some of thecountless online resources or tutorials available on the Internet.Common configuration itemsWhen adding a rule, most of the configuration options in thefirewall’s parts are of the same type (e.g., the source or destinationinterfaces), since they are built with the same software,iptables. Therefore, in order to keep this section shortand readable, all the common configuration items are grouped andexplained. The next sections will contain only description of theoption that are peculiar to that part of the firewall.HintMultiple values can be supplied for any options: If there isa list of values to choose from, hold the CTRL key (GermanSTRG) and click on each value, otherwise, write one valueper line if there is a textbox.Source or Incoming IPUsually in

In the top box.GREEN: HTTP, HTTPS, FTP, SMTP, POP, IMAP, POP3s, IMAPs, DNS, ICMPORANGE: DNS, ICMPBLUE: HTTP, HTTPS, DNS, ICMPEverything else is forbidden by default except for the System ruleswhich allow access to the services in the Endian Network. The system rulesare defined even if the corresponding zones are not enabled.NoteAccess to Endian Network is not permitted to Community Editionappliances.Possible actions on each rule are to enable or disable it, to edit itor delete it. Additional rules can be added by clicking on theAdd a new firewall rule link at the top of thepage. Please remember that the order of rules is important: the firstmatching rule decides whether a packet is allowed or denied,regardless of how many matching rules follow. The order of the rulescan be changed by using the up and down arrow icons next to each rule.The following settings differ from the default common options.SourceIt can be one or more Zone/Interfaces, Network/IP, or MAC addresses.DestinationIt can be the RED zone, one or more uplinks, or one or morenetwork/host addresses accessible outside the RED interface.ApplicationThis search widget allows to select the applications that should bepart of the rule. Applications are dividend into categories (e.g.,Database, filesharing, and so on).HintEnter at least one letter to show all applications whosename starts with that letter.Outgoing Firewall SettingsIt is possible to disable or enable the whole outgoing firewall byclicking on the Enable Outgoing firewall switch. When disabled, alloutgoing traffic is allowed and no packet is filtered: This setting ishowever strongly discouraged and the recommendation is to keep theoutgoing firewall enabled.Log accepted outgoing connectionsTicking this checkbox causes all the accepted connections to theRED interface to be logged.Proxy and outgoing firewall.Whenever the proxy is activated for a given service (e.g., HTTP,POP, SMTP, DNS), the firewall rules in the outgoing firewall willtake no effect, because of the nature of the proxy.With the proxy activated, whenever a connection starts from aclient to the Internet, it will either be intercepted by the proxyon the Endian Hotspot Appliance (in transparent mode) or go directly tothe firewall, but never go through the firewall. The proxy thenstarts a new connection to the real destination, gets the data andsends it to the client. Those connections to the Internet alwaysstart from the Endian Hotspot Appliance, which hides the clients internalIP address. Therefore, such connections never go through theoutgoing firewall, since in fact they are local connections.Inter-Zone trafficThis module permits to set up rules that determine how traffic canflow between the local network zones, excluding therefore the RED zone(traffic through the RED zone can be filtered in Outgoing traffic andPort forwarding / NAT). To activate the inter-zone firewall, click on the greyswitch . Two boxes are present on this page, one that shows thecurrent rules and allow to add new ones, and one that allows to setthe inter-zone firewall options.NoteWhen the Endian Hotspot Appliance is configured in no uplink mode, allthe network traffic shall be filtered using the interzonefirewall. Also when in Stealth uplink mode with more than onezone defined, all the traffic not routed

Through the gateway isfiltered with the interzone firewall. See ref:the stealth uplinkdescription for more information.Current rulesThe Endian Hotspot Appliance comes with a simple set of pre-configured rules:traffic is allowed from the GREEN zone to any other zone (ORANGE andBLUE) and within each zone, with everything else forbidden bydefault.Analogously to the outgoing traffic firewall, rules can bedisabled/enabled, edited or deleted by clicking on the appropriateicon on the right side of the table. New rules can be added byclicking on the Add a new inter-zone firewall rule link atthe top of the page. Only the common options can beconfigured.Inter-Zone Firewall SettingsThe inter-zone firewall can be disabled or enabled by using theEnable Inter-Zone firewall switch. When disabled, all traffic isallowed among all the BLUE, GREEN, and ORANGE zones. Disabling theinter-zone firewall is strongly discouraged.Log accepted Inter-Zone connectionsTicking this checkbox causes all the accepted connections among thezones to be logged.VPN trafficThe VPN traffic firewall allows to add firewall rules applied to theusers and hosts that are connected via OpenVPN.The VPN traffic firewall is normally not active, which means that, onthe one side, the traffic can freely flow between the VPN clients andthe hosts in the GREEN zone, and on the other side, VPN hosts canaccess all the zones behind the Endian Hotspot Appliance.NoteVPN clients are not subject to the outgoing trafficfirewall or the Inter-Zone traffic firewall.Two boxes are present on this page, one that shows the current rulesand allow to add new ones, and one that allows to set the VPN firewalloptions.Current rulesBy default there is no rule defined, therefore to add rules, click onthe Add a new VPN firewall rule link at the top of thepage. Only the common options are available todefine the rules.VPN Firewall settingsThe VPN firewall can be disabled or enabled using the EnableVPN firewall switch.Log accepted VPN connectionsTicking this checkbox causes all the accepted connections from theVPN users to be logged.System accessThis section governs the rules that grant or deny access to theEndian Hotspot Appliance itself and to the services that run on it.There is a list of pre-configured rules that cannot be changed, whosepurpose is to guarantee the proper working of the services running onthe Endian Hotspot Appliance, that require to be accessed from clients that arelocated either in the local or remote zones.The list of the pre-defined rules is shown when clicking on theShow rules of system services button at the bottom of thepage.Examples of the system access rules include services that are alwaysactive, for example the DNS service to resolve hostnames (whichrequires that the port 53 be open), or the access to theadministration web interfaces (which uses port 10443). Moreover,whenever a services (e.g., OpenVPN, the Hotspot, SNMP server amongothers) is activated, one or more rules are automatically created toallow the proper efficiency of the service itself.More system access rules can be added by clicking on the Adda new system access rule link. The setting specific to this module ofthe firewall are:Log packetsAll packets that access or try to access the Endian Hotspot Appliance arelogged when this