Firewall configuration

The firewall is now enabled in order to control the traffic between the individual zones (LAN, DMZ and Internet).

When this is done, connections going from the LAN to anywhere, plus connections going from the DMZ to the Internet are generally permitted. By default, other traffic is blocked.

A filter rule is created for each of the services on the servers in the DMZ which are to be accessible from the Internet. In our example, these are a web server and additionally an email server for receiving emails and also provides the option to get emails with pop3 or imap from outside via an encrypted connection.

The firewall's basic setting is to block traffic to all the interfaces. So everything that is not explicitly permitted is prohibited.

In the default setting, the firewall becomes active when the first rule is configured. So it is important that the first rule also permits access to the router itself to configure it.

Configure the alias names for the server's IP addresses

To be able to identify the servers when configuring the filter rules, alias names are created for the web and E-mail servers' IP addresses.

Go to the following menu to create aliases:

  1. Go to Firewall -> Addresses -> Address List-> New.

Firewall -> Addresses -> Address List-> New

Proceed as follows:

  1. Enter the name of the alias under Description, e. g. WebServer .

  2. Under Address Type select Address / Subnet

  3. Under Address / Subnet enter the IP address and corresponding subnet mask, in this case e. g. 213.7.46.2 and 255.255.255.255 .

  4. Confirm with OK.

Proceed in the same way to configure the alias name for the E-mail server.

  1. Go to Firewall -> Addresses -> Address List-> New.

  2. Enter the name of the alias under Description, e. g. EMailServer .

  3. Under Address Type select Address / Subnet

  4. Under Address / Subnet enter the IP address and corresponding subnet mask, in this case e. g. 213.7.46.3 and 255.255.255.255 .

  5. Confirm with OK.

Configuring service sets

Each of the servers is to provide various services. You can group together several services into groups to make it easier to configure the filter rules.

Go to the following menu to create a group:

  1. Go to Firewall -> Services -> Groups-> New.

Firewall -> Services ->Groups-> New

Proceed as follows to create a group:

  1. Enter a name for the group under Description, e. g. WebServices .

  2. Select the services to be included in the group, in this example http and http (SSL) .

  3. Confirm with OK.

Proceed in the same way to configure the service group for the E-mail server.

  1. Go to Firewall -> Services -> Groups-> New.

  2. Enter the name of the group under Description, e. g. EmailServices .

  3. Select the services to be included in the group, in this example smtp , pop3 (SSL) snd imap (SSL) .

  4. Confirm with OK.

Configure policies

Note

The correct configuration of the filter rules and the right arrangement in the filter rule chain are decisive factors for the operation of the firewall. An incorrect configuration may possibly prevent further communication with the router!

Once you have completed the configuration of the alias names for IP addresses and services, you can define the filter rules.

Proceed as follows to configure the first rule:

  1. Go to Firewall -> Policies -> IPv4 Filter Rules ->New.

Firewall->Policies->IPv4 Filter Rules->New

Proceed as follows:

  1. Select the packet's Source, in this case LAN_EN1-0 .

  2. Set the Destination to ANY . Neither the destination interface or the destination address will be checked.

  3. For Service, select any .

  4. Select the Action that is to be applied, in this case Access . The packets are forwarded on the basis of the entries.

  5. Confirm with OK.

    With these settings, outgoing connections are allowed from the LAN to the DMZ and to the Internet, including the LAN-side access to the router.

Configure the second filter rule in the same way as you configured the first rule.

  1. Go to Firewall -> Policies -> Filter Rules ->New.

  2. Select the packet's Source, in this case LAN_EN1-1 .

  3. As the Destination, select LAN_EN1-4 . Source and destination interface will be checked.

  4. For Service, select any .

  5. Select the Action that is to be applied, in this case Access . The packets are forwarded on the basis of the entries.

  6. Confirm with OK.

    With these settings, outgoing connections are allowed from the DMZ to the Internet.

Now rules can be create for accessing the web server from the Internet.

  1. Go to Firewall -> Policies -> Filter Rules ->New.

  2. Select the packet's Source, in this case LAN_EN1-4 .

  3. Set the Destination to WebServer .

  4. For Service, select WebServices .

  5. Select the Action that is to be applied, in this case Access . The packets are forwarded on the basis of the entries.

  6. Confirm with OK.

Finally, the rules are created for accessing the E-mail server from the Internet.

  1. Go to Firewall -> Policies -> Filter Rules ->New.

  2. Select the packet's Source, in this case LAN_EN1-4 .

  3. Set the Destination to EmailServer .

  4. For Services, select EmailServices .

  5. Select the Action that is to be applied, in this case Access . The packets are forwarded on the basis of the entries.

  6. Confirm with OK.

The list of the filter rules that have been configured should now look like this:

Go to Firewall -> Policies -> Filter Rules.

Firewall -> Policies -> Filter Rules

This completes the configuration. Save the configuration with Save configuration and confirm the selection with OK.

Copyright© Version 08/2020 bintec elmeg GmbH