Help

Defining a Complex Firewall Rule

You are about to define here a new rule to manage a specific connection between two different zones. If the request matches the different criterion defined here, the "Result" action will be taken.

Here is a description of the different fields available in the form, fill them according to the criterion you want to be matched for this rule to be activated. Some options are also available to manage these connections:

Rule ID The unique ID number identifying this policy rule.
Result The action taken for the connection request matching this rule. See table below.
Logging Set to "info" if you want each of these connections logged by syslog when accepted.
Pre-defined Services Choose either a common service in the pull-down list, or enter a name or service number in the field.
Protocol The protocol type associated to that service.
Client The zone from which the connection request is originated. The matching can be narrowed by specifying a precise IP or subnet, or even a port number. Leave "-" in the field for matching any IP or port.
Server the zone to which the connection request is directed. The matching can be narrowed by specifying a precise IP or subnet, or even a port number. Leave "-" in the field for matching any IP or port.
Forwarding Address If the request is targeted at the IP specified here (or if it is set to "all"), it will be forwarded to the "Server" IP and port. In this case, the "Server" field must specify a specific IP address.
SNAT If specified, and if the forwarding is activated above, then the source address of the request will be set to this "SNAT" value before being forwarded to the server.

Here is a short description of the four possible actions:

ACCEPT The connection is allowed.
DROP The connection request is ignored.
REJECT The connection request is blocked and a "destination-unreachable" message is sent back to the client.
CONTINUE The connection is neither ACCEPTed, DROPped nor REJECTed. CONTINUE may be used when one or both of the zones named in the entry are sub-zones of, or intersect with, another zone.

Example: you want the FTP server on 192.168.2.2 in your masqueraded DMZ to be accessible from the local 192.168.1.0/24 subnetwork. Note that since the server is in the 192.168.2.0/24 subnetwork, we can assume that access to the server from that subnet will not involve the firewall.

Result ACCEPT
Logging
Pre-defined Services ftp
Protocol tcp
Client lan | 192.168.1.0/24
Server dmz | 192.168.2.2
Forwarding Address 155.186.235.151
SNAT