Rules are central to a firewall. By default no traffic is allowed to and from the firewall, so the administrator has to define what is allowed. Here we will describe the way rules are created in Vuurmuur.
A rule always has the following format:
action service servicename from zone object to zone object options options
The options part is optional.
The source and destination must be considered in the light of the direction that the connection is initiated. The source is always the one initiating the connection or communication to the destination. If you, for example, browse the web, you will initiate the connection to the webserver. So you are the source, the webserver is the destination.
Vuurmuur supports the following actions:
|ACCEPT||allow the traffic.|
|DROP||block and ignore the traffic.|
|REJECT||block and send a tcp-reset or an icmp-error-message.|
|QUEUE||send traffic to userspace. See also SnortInline.|
|NFQUEUE||Same as QUEUE, only uses the newer NFQUEUE interface to the kernel. Also supports more than one queue.|
|LOG||log the traffic.|
|PORTFW||portforward a localport to a remote box. See also: RulesNAT.|
|DNAT||same as PORTFW, only limited to nat rules only. See also RulesNAT.|
|REDIRECT||redirect traffic to a local port to another local port. See also RulesNAT.|
|SNAT||NAT outgoing traffic to the interface of the firewall. See also RulesNAT.|
|MASQ||same as SNAT, only MASQ determines outgoing ip itself.|
|CHAIN||send traffic to a custom chain which name needs to be supplied.|
|BOUNCE||solve the problem of not being able to reach a local server by it's public ip.|
The default policy is DROP, which means that any traffic to which no rule apply, the action is DROP.
The service the rule should match on. There is one pre-defined service: 'any'. It will match on any type of traffic.
Source and Destination
Both the source of the rule and the destination need to be selected from the predefined zone objects. There are three objects predefined by Vuurmuur: firewall, firewall(any) and any.
If the source is firewall, an outgoing rule will be created. If the destination is firewall an incoming rule is created. The difference with firewall(any) is that the latter will match on any interface of the firewall. See IPtablesRules for an example of this difference.
Other than the build-in objects the objects defined by the administrator can be selected.
|log||logs the rule (cannot be used when action is LOG).|
|logprefix||this text will be added to the trafficlog for this rule.|
|loglimit||a limitation per second of the number of logmessages for this rule.|
|limit||a limitation per time unit of the number of new connections on this rule. This is to prevent DoS attacks. Time unit can be sec, min, hour or day.|
|burst||a burst value for the 'Rule Limit'.|
|nfmark||a mark is set on the packets that match this rule. The mark never leaves the firewall, but can be used for traffic shaping or routing. Because of the way Vuurmuur handles ESTABLISHED packets for ACCEPT and for QUEUE, all packets rules with action ACCEPT need to have a mark between 0 and 9.999.999. QUEUE rules need to have a mark between 20.000.000 and 29.999.999. If no mark is set, ACCEPT rules will have no mark (which equals mark 0) and QUEUE rules will have 20.000.000.|
|rejecttype||when the action is REJECT the user can select a type of reject: tcp-reset (resets a tcp-connection), icmp-net-unreachable, icmp-host-unreachable, icmp-proto-unreachable, icmp-port-unreachable, icmp-net-prohibited, icmp-host-prohibited.|
|listenport||when using PORTFW/DNAT the firewall can be told to listen on another port than issued by the service. For example, you can let the firewall listen on port 1022 and portfw this to a remote machine on port 22.|
|remoteport||when using PORTFW/DNAT the firewall can be told to forward the connection to another port than issued by the service. For example, if the firewall listens on port 22 the connection can be forwarded to a remote machine on port 1022.|
|markiptstate||this option is for use with QUEUE and is especially designed for use with Snort_inline 2.2.0. It is a way to help the tcp-state-engine of Snort (Note: this option has been removed in 0.5.73 alpha 3).|
|queue||by default PORTFW and REDIRECT create ACCEPT rules in addition to the DNAT/REDIRECT rules. This option forces Vuurmuur to use 'QUEUE' instead of ACCEPT.|
|in_int||if your firewall has more than one interface in the same network, you might want to use only one of them.|
|out_int||if your firewall has more than one interface in the same network, you might want to use only one of them.|
|via_int||Mandatory option for use with the BOUNCE action. Select the interface containing the public ipaddress on which you try to reach the server in your local network.|
|chain||Name of the chain for use with the CHAIN action.|
|redirectport||Port to redirect to using the REDIRECT action.|
|comment||Comment for use in the GUI|