Firewall in ICS CUBE is kernel-level software system which controls and filters traffic according to a set of rules. Main goal of the firewall is protection of networks and internal corporate resources from unauthorized access. Also, in ICS CUBE, firewall is responsible for network address translation (NAT) and port forwarding (PF).
On the initial page of the module you can find it’s status, the “Disable” button (or “Enable”, if the module is disabled) and last log messages.
Attention! If you turn firewall off, only NAT rules will be in action. All rules that block undesirable access will be turned off as well, which may lead to security breach. It’s highly recommended to turn off firewall only when it’s truly necessary.
Also keep in mind that after ICS CUBE reboot with the firewall turned off, the pf rules, including NAT rules, will be cleared completely, and in this case users will not be able to access Internet via all protocols except HTTP.
The “Settings” tab allows to set the basic access to ICS CUBE without creating additional firewall rules. You can specify IP-addresses or subnets that will be allowed to access ICS CUBE web-interface and recovery console via ssh. If you want to allow access to ICS CUBE console from anywhere, you can set the 0.0.0.0/0 subnet.
Attention! Such settings are considered insecure since this way everyone can try to access the system.
Before allowing access, it’s highly recommend to change password for a strong one (not less then 8 symbols including numbers and upper and lower-case letters).
The “Maximum number of active connections” helps to set the limit of all connections to the system.
The “Firewall mode” parameter is for defining which module - pf or ipfw - will start first. In some cases the VPN-connections through ICS CUBE can be disturbed by NAT of the pf module. In such case you can change the start-up sequence to pf→ipfw.
The “Rules” tab is the main instrument of system administrator in setting and maintaining the firewall. It is divided in two parts: the interface list (tree-like) and the list of the rules itself. When you click on an interface, you’ll see the rules related to it.
Firewall rules are grouped as following:
By default any connection from outside is blocked by the firewall. During the installation several standard rules are added, which are crucial for core services: mail server (25, 110, 143 ports), FTP-server (21 and 10000-10030 ports), web-server (80 port), DNS server (53 UDP port) and VPN-server (port 1723 and GRE protocol). Also there are two additional default allow rules: access to samba-resources (ports 139, 445) and to DNS zones transfer (port 53 TCP), and also the rule responsible for allowing ICMP-requests. These rules are not mandatory, you can turn them off, edit or delete, if necessary.
The “Events” tab shows all what happens with the firewall. It’s divided into pages, you can navigate between them with the “Next” and “Previous” buttons, or enter the page number into the appropriate field to proceed directly to it. In the top right corner there is a search line. You can use it to look for specific records.
The tab always shows events for the current date. To check other day’s events, choose the dates in the calendar in the top left corner of the module.
On the right side of the top panel there is a drop-down menu “All messages”, which allows to filter the event list using some criteria: system messages, service messages, errors, other messages.