Firewall
6.1. Firewall in eBox
One of the most important features in eBox is its firewall module. You can access it through . There you can make packet filtering (Section 6.3) or port redirection (Section 6.2).
The firewall has different behaviour with external or internal network interfaces.
The internal interfaces are connected to local networks. They had not restrictions as the external interfaces have.
The external interfaces are connected to external networks and eBox only allows redirections from them.
Port redirects allow to get external traffic into a host behind a eBox system with firewall module installed. You can get the configuration of these options at → .
If you need to add a new redirect, first select your desired Interface which will listen incoming connections. This should be one of the interfaces previously selected as external. Moreover, it should be assigned the External port where you expect your incoming traffic, and the protocol that will be used.
You should enter the destination system IP address and its Port where packets would go on.
Once you have selected this data, you just need to select between the different Actions, the Add one, and click on it.
To remove a rule, you should select remove between the available Actions, and click on it.
Redirect configuration can be modified by changing its parameters and clicking on their modify Actions.
From → you can configure packet filter rules. You may use the abstractions provided above such as network services and network objects. Using these concepts enhances the rules flexibility and clearness, reducing the amount.
At first sight, we have five different traffic flows to set your firewall rules to them.
- From internal networks to eBox
These rules are meant to control access from internal network interfaces to services running on your eBox machine. Several eBox modules may add filtering rules for you to manage eBox services easily.
- For internal networks
These rules allow you to control access from your internal networks to the Internet, and traffic between your internal networks.
- Coming out from eBox
These rules allow you to control access from eBox to external services.
- From external networks to eBox
These rules allow you to control access from external networks to services running on your eBox machine.
- From external networks to internal networks
These rules allow you to control access from external networks to internal networks.
Take into account to the last two set of rules that it is granted access to untrusted networks to your managed networks. This may compromise your network security. As eBox secure by default policy recommends, do not modify these rules unless you know what you are doing. The figure Figure 6.1 try to make up the concept:
The deny policy for eBox firewall is a ignorance one. Every denied packet is filtered and discarded without any notification.
Every set of rules define a fixed behaviour for the traffic flows that they apply. These rules will be matched from top to the bottom, thus order is important. Each rule consists of these following fields, some of them are only available to several rule set by construction:
- Decision
Accept or deny. This explicitly accepts or denies a traffic flow.
- Source
The traffic flow origin. It may be a network object or a single IP address. This field is available for every rule set except for "Filtering rules for traffic coming out from eBox"
- Destination
The traffic flow target. It may be a network object or a single IP address. This field is available for "For internal networks", "Coming out from eBox" and "From external networks to internal networks" filtering rules.
- Service
The traffic flow service as it is described in Chapter 5. The match could be inverse one, i.e. the inverse "any" service is "none" service. This is a compulsory field, therefore in order to create a new rule, it is required to have a network service. If it does not exist, you must make up previously.
- Description
An optional description to ease the firewall rule set management.
Posts
Post a Comment