User Tools

Site Tools


firewall50

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
firewall50 [2019/06/06 11:32]
root
firewall50 [2020/04/07 16:52] (current)
zog [Events]
Line 1: Line 1:
-=====Firewall=====+=====Firewall.=====
  
-====Main page of the module====+====Main page of the module.====
  
-{{firewall1.png}}+{{:firewall1.png?650|}}
  
-Firewall is software ​stack which controls and filters traffic ​using its ruleset. Main goal of the firewall is protection networks and theirs nodes from unauthorized access. Also, in ICS CUBE, firewall is responsible for NAT and port forwarding.+Firewall ​in ICS CUBE is kernel-level ​software ​system ​which controls and filters traffic ​according to a set of rules. Main goal of the firewall is protection ​of networks and internal corporate resources ​from unauthorized access. Also, in ICS CUBE, firewall is responsible for network address translation (NATand port forwarding ​(PF).
  
-On the start page of the module you can find it’s status, the “Disable” button (or “Enable”,​ if the module is disabled) and last log messages.+On the initial ​page of the module you can find it’s status, the “Disable” button (or “Enable”,​ if the module is disabled) and last log messages.
  
-**Attention!** If you turn off firewall, only NAT rules will be in action. All rules that block undesirable access will be turned off as well, which may lead to security breach. It’s highly recommended to turn off firewall only when it’s truly necessary.+**Attention!** If you turn firewall ​off, only NAT rules will be in action. All rules that block undesirable access will be turned off as well, which may lead to security breach. It’s highly recommended to turn off firewall only when it’s truly necessary.
  
-Also it should be remembered ​that after server ​reboot with the firewall turned off, the pf rules, including NAT rules, will be cleared completely, and in this case users will not be able to access Internet via all protocols except HTTP.+**Also keep in mind that after ICS CUBE reboot with the firewall turned off, the pf rules, including NAT rules, will be cleared completely, and in this case users will not be able to access Internet via all protocols except HTTP.**
  
-====Setting====+====Settings====
  
-{{firewall2.png}}+{{:firewall2.png?|}}
  
-The “Settings” tab allows to set the basic access to ICS CUBE without creating additional firewall rules. You can set IP-addresses or subtents ​that will be allowed to access ICS CUBE web-interface and to recovery console via ssh. +The “Settings” tab allows to set the basic access to ICS CUBE without creating additional firewall rules. You can specify ​IP-addresses or subnets ​that will be allowed to access ICS CUBE web-interface and recovery console via ssh. 
-If you want to allow access to ICS CUBE from everywhere, you can set the 0.0.0.0/0 subnet. Attention! Such settings are considered insecure since this way everyone can try to access the system. Before allowing access, it’s highly recommend to change password for a strong one (not less then 8 symbols including numbers and higher and lower-case letters).+If you want to allow access to ICS CUBE console ​from anywhere, you can set the 0.0.0.0/0 subnet. ​
  
-The “Maximum active connections allowed” helps to set the limit of all connections ​to the system.+**Attention! Such settings are considered insecure since this way everyone can try to access ​the system.** 
  
-The “Firewall mode” parameter is for defining which module - pf or ipfw - will come first. In some cases the VPN-connections through ICS CUBE can be troubled ​by NAT of the pf module. In such case you can change the start-up sequence to pf→ipfw.+Before allowing access, it’s highly recommend to change password for a strong one (not less then 8 symbols including numbers and upper and lower-case letters). 
 + 
 +The “Maximum number of active connections” helps to set the limit of all connections to the system. 
 + 
 +The “Firewall mode” parameter is for defining which module - pf or ipfw - will start first. In some cases the VPN-connections through ICS CUBE can be disturbed ​by NAT of the pf module. In such case you can change the start-up sequence to pf→ipfw.
  
 ====Rules==== ====Rules====
  
-{{firewall3.png}}+The “Rules” tab is the main instrument of system administrator in setting and maintaining the firewall. It is divided in two parts: the interface list (tree-like) and the list of the rules itself. When you click on an interface, you’ll see the rules related to it.
  
-The “Rule” tab is the main instrument of the system administrator to set up the firewall. It is divided in two partsthe interfaces list (tree-like) and the list of the rules itself. When you click on an interface, you’ll see the rules connected to it. If necessary, the interfaces list can be disabled, using the arrow button in the center of the separation line.+{{:firewall3.png?|}}
  
 Firewall rules are grouped as following: Firewall rules are grouped as following:
  
-  * Allow rules +  * Permitting rule 
-  * Deny rules +  * Blocking rule 
-  * Priorities +  * Priority 
-  * Routes+  * Route
   * Speed limits   * Speed limits
  
-By default ​all connections ​from outside is blocked by firewall. During the installation several standard rules are created, which are crucial for main services: mail server (25, 110, 143 ports), FTP-server (21 and 10000-10030 ports), web-server (80 port), DNS server (53 UDP port) and VPN-server (port 1723 and GRE protocol). Also there are two additional default allow rules: access to samba-resources (ports 139, 445) and to DNS zones transfer (port 53 TCP), and also the rule responsible for allowing ICMP-requests. ​Those rules are not mandatory, you can turn them off, edit or delete, if necessary.+By default ​any connection ​from outside is blocked by the firewall. During the installation several standard rules are added, which are crucial for core services: mail server (25, 110, 143 ports), FTP-server (21 and 10000-10030 ports), web-server (80 port), DNS server (53 UDP port) and VPN-server (port 1723 and GRE protocol). Also there are two additional default allow rules: access to samba-resources (ports 139, 445) and to DNS zones transfer (port 53 TCP), and also the rule responsible for allowing ICMP-requests. ​These rules are not mandatory, you can turn them off, edit or delete, if necessary.
  
 ====Events==== ====Events====
  
-{{firewall4.png}}+{{:firewall4.png?|}} 
 + 
 +The “Events” tab shows all what happens with the firewall. It’s divided into pages, you can navigate between them with the “Next” and “Previous” buttons, or enter the page number into the appropriate field to proceed directly to it. In the top right corner there is a search line. You can use it to look for specific records.
  
-The “Events” tab shows all that happens with the firewall. It’s divided into pages, you can navigate between them with the “Next” and “Previous” buttons, or enter the page number into the appropriate field to proceed directly to it. In the top right corner there is a search line. You can use it to look for specific records. 
 The tab always shows events for the current date. To check other day’s events, choose the dates in the calendar in the top left corner of the module. The tab always shows events for the current date. To check other day’s events, choose the dates in the calendar in the top left corner of the module.
  
-On the right side of the top panel there is a drop-down menu “Messages”, which allows to filter the event list using some criteria: system messages, service messages, errors, other messages.+On the right side of the top panel there is a drop-down menu “All messages”, which allows to filter the event list using some criteria: system messages, service messages, errors, other messages.
  
firewall50.1559809979.txt.gz · Last modified: 2019/06/06 11:32 by root