wiki:Rules

Rules

Rules are central to a firewall. By default no traffic is allowed to and from the firewall, so the administrator has to define what is allowed. Here we will describe the way rules are created in Vuurmuur.

A rule always has the following format:

action service servicename from zone object to zone object options options

The options part is optional.

The source and destination must be considered in the light of the direction that the connection is initiated. The source is always the one initiating the connection or communication to the destination. If you, for example, browse the web, you will initiate the connection to the webserver. So you are the source, the webserver is the destination.

Actions

Vuurmuur supports the following actions:

ACCEPTallow the traffic.
DROPblock and ignore the traffic.
REJECTblock and send a tcp-reset or an icmp-error-message.
QUEUEsend traffic to userspace. See also SnortInline.
NFQUEUESame as QUEUE, only uses the newer NFQUEUE interface to the kernel. Also supports more than one queue.
LOGlog the traffic.
PORTFWportforward a localport to a remote box. See also: RulesNAT.
DNATsame as PORTFW, only limited to nat rules only. See also RulesNAT.
REDIRECTredirect traffic to a local port to another local port. See also RulesNAT.
SNATNAT outgoing traffic to the interface of the firewall. See also RulesNAT.
MASQsame as SNAT, only MASQ determines outgoing ip itself.
CHAINsend traffic to a custom chain which name needs to be supplied.
BOUNCEsolve the problem of not being able to reach a local server by it's public ip.

The default policy is DROP, which means that any traffic to which no rule apply, the action is DROP.

Service

The service the rule should match on. There is one pre-defined service: 'any'. It will match on any type of traffic.

Source and Destination

Both the source of the rule and the destination need to be selected from the predefined zone objects. There are three objects predefined by Vuurmuur: firewall, firewall(any) and any.

If the source is firewall, an outgoing rule will be created. If the destination is firewall an incoming rule is created. The difference with firewall(any) is that the latter will match on any interface of the firewall. See IPtablesRules for an example of this difference.

Other than the build-in objects the objects defined by the administrator can be selected.

Options

loglogs the rule (cannot be used when action is LOG).
logprefixthis text will be added to the trafficlog for this rule.
loglimita limitation per second of the number of logmessages for this rule.
limita limitation per time unit of the number of new connections on this rule. This is to prevent DoS attacks. Time unit can be sec, min, hour or day.
bursta burst value for the 'Rule Limit'.
nfmarka mark is set on the packets that match this rule. The mark never leaves the firewall, but can be used for traffic shaping or routing. Because of the way Vuurmuur handles ESTABLISHED packets for ACCEPT and for QUEUE, all packets rules with action ACCEPT need to have a mark between 0 and 9.999.999. QUEUE rules need to have a mark between 20.000.000 and 29.999.999. If no mark is set, ACCEPT rules will have no mark (which equals mark 0) and QUEUE rules will have 20.000.000.
rejecttypewhen the action is REJECT the user can select a type of reject: tcp-reset (resets a tcp-connection), icmp-net-unreachable, icmp-host-unreachable, icmp-proto-unreachable, icmp-port-unreachable, icmp-net-prohibited, icmp-host-prohibited.
listenportwhen using PORTFW/DNAT the firewall can be told to listen on another port than issued by the service. For example, you can let the firewall listen on port 1022 and portfw this to a remote machine on port 22.
remoteportwhen using PORTFW/DNAT the firewall can be told to forward the connection to another port than issued by the service. For example, if the firewall listens on port 22 the connection can be forwarded to a remote machine on port 1022.
markiptstatethis option is for use with QUEUE and is especially designed for use with Snort_inline 2.2.0. It is a way to help the tcp-state-engine of Snort (Note: this option has been removed in 0.5.73 alpha 3).
queueby default PORTFW and REDIRECT create ACCEPT rules in addition to the DNAT/REDIRECT rules. This option forces Vuurmuur to use 'QUEUE' instead of ACCEPT.
in_intif your firewall has more than one interface in the same network, you might want to use only one of them.
out_intif your firewall has more than one interface in the same network, you might want to use only one of them.
via_intMandatory option for use with the BOUNCE action. Select the interface containing the public ipaddress on which you try to reach the server in your local network.
chainName of the chain for use with the CHAIN action.
redirectportPort to redirect to using the REDIRECT action.
commentComment for use in the GUI
Last modified 10 years ago Last modified on 04/16/09 16:42:51