====== Firewall ====== ^ {{user_guide:clarkconnect-190x70.png}} ^Firewall: Protection from Internet bad guys ^ ^ Version |[[Articles:ClarkConnect Version 4.2|4.2]] | ^ Type|[[Articles:Community Version|Community]] | ^ Parent Doc|[[.|ClarkConnect 4.2 Administration Manual ]] | ^ Next Article|[[Security]] | ^ Previous Article|[[Network Settings]] | ===== 1 to 1 NAT ===== ==== Overview ==== ^**1-to-1 NAT Firewall**^**Information**^ |Description|Configuration tool for 1-to-1 NAT.| |Package Name|cc-firewall-dmz| |Configuration Page|Network Firewall 1-to-1 NAT| 1-to-1 NAT maps a real Internet IP to an IP on your local area network (LAN). ==== Installation ==== If you did not select this module to be included during the installation process, you must first [[.:Software Modules#Installing a Module|install the module]]. ==== Configuration ==== You can map 1-to-1 NAT IPs in one of two ways: * With no firewall at all * With selective ports open == 1-to-1 NAT - No Firewall == Some protocols can be finicky behind firewalls. In this case you want to configure 1-to-1 NAT with no firewall (make sure you firewall/secure the target LAN system some other way!). In the screenshot below: * 216.138.245.23 is mapped to a LAN machine at 192.168.2.2 * no firewall is enabled. {{user_guide:4.2:dsr993z_49dw7tkbdd_b.png}} == 1-to-1 NAT - Selective Ports Open == In the screenshot below: * 216.138.245.23 is mapped to an LAN machine at 192.168.2.2 * only port 22 (SSH) and port 80 (web) are accessible {{user_guide:4.2:dsr993z_50hc7zx6gn_b.png}} == 1-to-1 NAT - With MultiWAN == As of ClarkConnect 4.0 it is now possible to utilize 1-to-1 NAT with a MultiWAN configuration. The configuration remains mostly the same with the addition of an Interface drop-down box containing a list of configured MultiWAN network interfaces.1-to-1 NAT with MultiWAN support is only available in the 4.x Edition. Each 1-to-1 NAT rule must be assigned to an external MultiWAN interface as shown by example below: {{user_guide:4.2:dsr993z_51fcf3ktcz_b.png}} ===== Advanced ===== ==== Overview ==== ^**Advanced Firewall**^**Information**^ |Description|Configuration tool advanced firewall rules.| |Package Name|cc-firewall-advanced| |Configuration Page|Network >> Firewall >> Advanced| ==== Installation ==== If you did not select this module to be included during the installation process, you must first [[.:Software Modules#Installing a Module|install the module]]. ==== Configuration ==== The advanced firewall tool can be used to create special firewall rules. For instance, you can use this tool to allow connections to the [[user guide/4.2/web-based administration|web-based administration]] from the Internet -- but only from a particular IP address. You can find some examples in the [[user guide/4.2/account manager#tips and tricks|advanced firewall tips and tricks documentation]]. An invalid advanced rule will cause the firewall to go into a lock-down mode -- all other firewall rules will not be active in this mode. ==== Links ==== * [[http://www.netfilter.org/|Netfilter/Iptables Home Page]] ===== DMZ ===== ==== Overview ==== ^**DMZ Firewall**^**Information**^ |Description|Configuration tool for DMZ-based firewalls.| |Package Name|cc-firewall-dmz| |Configuration Page|Network >> Firewall >> DMZ| The DMZ solution is used to protect a separate network of public IP addresses. Typically, a third network card is used exclusively for the DMZ network. * If you are configuring a few extra public IPs (not a //**whole network**//), then go to the [[user guide/4.2/firewall#to 1 nat|1-to-1 NAT]] section of the User Guide. * If you are configuring a separate private network (192.168.x.x or 10.x.x.x), then investigate //**Hot LANs**// in the [[user guide/4.2/network settings#ip settings|IP Settings]] section of the User Guide. ==== Installation ==== If you did not select this module to be included during the installation process, you must first [[.:Software Modules#Installing a Module|install the module]]. ==== Configuration ==== === Network Configuration === Before you can use the DMZ firewall configuration, you need to configure one of your network cards with the DMZ role. In our example, we used the [[user guide/4.2/network settings#ip settings|IP Settings]] tool to configure a third network card (eth2) with the following: * Role: DMZ * IP Address: 216.138.245.17 * Netmask: 255.255.255.240 * Network: 216.138.245.16/28 All the systems connected to this third network card can then be configured with an IP address in the 216.138.245.18 to 216.138.245.30 range. === Incoming Connections === By default, all inbound connections from the Internet to systems on the DMZ are blocked (with the exception of the ping protocol). You can permit connections to systems on the DMZ by allowing: * all ports and protocols to a single public IP * all ports and protocols to the whole network of public IPs * a specific port and protocol to a single public IP In the screenshot below, both 216.138.245.27 and 216.138.245.28 are not firewalled at all, while 216.138.245.26 can only be accessed via TCP port 2000. {{user_guide:4.2:dsr993z_52c8x6wkhj_b.png}} === Pinhole Connections (DMZ-to-LAN) === In some situations, you may want to allow particular network traffic from your DMZ to your LAN -- a pinhole rule. In our example, we have a document management system running on port 2401 on the LAN (at IP address 192.168.2.2). We want to allow a web server in our DMZ to access this document management system and we create a pinhole rule to do it (see screenshot). {{user_guide:4.2:dsr993z_53hr5n97fn_b.png}} ==== Links ==== * [[http://searchsoa.techtarget.com/sDefinition/0,,sid26_gci213891,00.htm|Definition]] ===== Group Manager ===== ==== Overview ==== ^**Firewall Groups**^**Information**^ |Description|A tool to group together firewall rules.| |Package Name|cc-firewall| |Configuration Page|Network >> Firewall >> Group Manager| The Group Manager makes it easy to categorize and manage related Firewall rules. All rules not assigned to a group will be listed at the top of the page. You can change the rules Nickname or assign it to a new or existing group by clicking on Edit. ==== Installation ==== This module is part of the base Firewall package which is always installed. ==== Configuration ==== There are three sections to the Group Manager page. * Individual rule listing (rules that are not assigned to a group) * Group listing * Group manager, useful for enabling/disabling or deleting an entire group === Assigning Rules to Groups === To assign a rule to a group, click on the rule's Edit button. This will bring up the rule editor dialog which looks like the following screen-shot: {{user_guide:4.2:dsr993z_54hp9wgdgr_b.png}} The top of the edit dialog shows the fields of the firewall rule; the protocol, address, port, and parameter (optional, contains extended information). This is displayed to help you identify the rule. Below this information, you can enter a new or edit an existing Nickname to help identify the rule's purpose. To the right you may assign this rule to an existing group using the drop-down, or add it to a new group by entering the desired name in the input box below. Click on confirm to save your changes. === Removing a Rule From a Group === To remove a rule from a group, click on the rule's Edit button. You will see the group name in the drop-down box. Change this to "Remove from group" and then click on Confirm. If there are no more rules in any given group, the group will no longer show up in the group drop-down list. === Group Management === At the very bottom of the Group Manager page you can enable/disable or delete a group. Simply click on the appropriate button. ||**Deleting a group will delete all member firewall rules. If you want to remove just the group, remove each rule from the group manually.**|| ===== Incoming ===== ==== Overview ==== ^**Firewall Incoming**^**Information**^ |Description|Tool for configuring incoming connections on the firewall.| |Package Name|cc-firewall| |Configuration Page|Network >> Firewall >> Incoming| ==== Configuration ==== ==== Allow Incoming Connections ==== If you want to run a server on your ClarkConnect system, you must open the appropriate port on the firewall to allow access to users on the Internet. For instance, if you are running the web server and secure web server, make sure port 80 and 443 are open. ||**Unlike other firewalls you //**do not**// need to open a port on the incoming page if you're forwarding the the port to an internal server on your LAN or on your DMZ.**|| You can also open up ports to allow for remote management of your ClarkConnect system. For example, you can open up port 22 to allow for SSH access and port 81 to give access to Webconfig. Select //**Firewall Incoming**// in the [[.:web-based administration]]. There are three ways to add an incoming firewall rule: * select a standard service in the //**Standard Services**// drop down * input a single port number in the //**Port Number**// box. * input multiple consecutive ports in a port range in the //**Port Range**// box. {{user_guide:4.2:dsr993z_55grd4vsdr_b.png}} ==== Block Internet Hosts ==== If you want to block a remote site from accessing your ClarkConnect system, add the IP address or network to the block list. This is typically used to unwanted connections from . If you want to block web sites from your users, the [[user guide/4.2/modules/web proxy#content_filter|Content Filter]] is a more effective solution. ===== Outgoing ===== ==== Overview ==== ^**Firewall Outgoing**^**Information**^ |Description|Tool for blocking or allowing (depending on mode) outgoing connections on your network.| |Package Name|cc-firewall| |Configuration Page|Network >> Firewall >> Outgoing| ==== Configuration ==== From the //**Firewall Outgoing**// page, you can block or allow certain kinds of traffic from leaving your network depending on the //**mode/policy**//. As of ClarkConnect 4.0, it is now possible to reverse the meaning of rules created from the //**Firewall Outgoing**// page. The language used in the following documentation has been altered to reflect this change. Users of older ClarkConnect versions can only allow all outgoing traffic by default and then selectively block certain hosts and services. See //**Choose an Outgoing Mode**// below for more details. ||**This module is useful for blocking/allowing instant messaging, chat, peer-to-peer music downloads, and more.**|| You have two ways to block/allow traffic: * by destination port/service * by destination IP address/domain Note: If you want to block peer-to-peer file sharing programs like Kazaa and Limewire, you will also want to check the [[.:firewall#peer-to-peer|Peer-to-Peer]] section of the user guide. ==== Choose an Outgoing Mode ==== As of ClarkConnect 4.0, you can toggle the outgoing traffic mode or policy. All previous versions of ClarkConnect allowed all outgoing traffic by default, only providing the administrator with the ability to specifically block certain hosts or services. With ClarkConnect 4.0 and above, it is possible to block all outgoing traffic by default and only open or allow certain destination domains, ports/services to be contacted. {{user_guide:4.2:dsr993z_56fqqx8nhq_b.png}} //**Note:**// These are the two Outgoing Traffic policies available as of ClarkConnect 4.0. == Outgoing Traffic - By Port/Service == //**Destination Ports**// prevents/allows a connection on a particular port/service. For instance, adding port 80 (web) disables/enables web-surfing for your entire local network. {{user_guide:4.2:dsr993z_576tm8x4ht_b.png}} == Outgoing Traffic - By Host/Destination == //**Destination Domains**// allows you to block/allow certain networks and sites. For instance, if your Outgoing Mode is set to allow all outgoing traffic, blocking windowsupdate.microsoft.com blocks Windows from connecting to the windows update site. Keep in mind, some sites use multiple servers to handle network traffic and are not easily blocked. If you block destinations with the firewall bear in mind that users of the proxy may not be blocked. If you require proxy users to be blocked, your best option is to block the destinations using the DansGuardian [[.:modules:web_proxy#content filter|Content Filter Module]]. {{user_guide:4.2:dsr993z_58cdjvrhcr_b.png}} As of ClarkConnect 4.0, the Block/Allow by Destination form has changed slightly. The standard services drop-down box has been removed and merged into the Destination Ports form illustrated above. {{user_guide:4.2:dsr993z_59hr5zs4hd_b.png}} ==== Troubleshooting ==== ==== Links ==== ===== Peer-to-Peer ===== ==== Overview ==== ^**Peer-to-Peer**^**Information**^ |Description|A tool to block peer-to-peer traffic.| |Package Name|cc-firewall-p2p| |Configuration Page|Network >> Firewall >> Peer-to-Peer| ==== Installation ==== If you did not select this module to be included during the installation process, you must first [[.:Software Modules#Installing a Module|install the module]]. ==== Configuration ==== The following applications can be blocked and/or throttled: * eDonkey, eMule, Kademlia * KaZaA, FastTrack * Gnutella * Direct Connect * BitTorrent, extended BT * AppleJuice * WinMX * SoulSeek * Ares, AresLite For some protocols, the peer-to-peer blocker will only halt the initial connection to other systems. In other words, a system that is already connected to a peer-to-peer network will not get blocked. If you are sanity checking this tool, please disconnect the peer-to-peer client. ==== Troubleshooting ==== The world of peer-to-peer networks is fast paced and constantly changing. If you find that your peer-to-peer software is not getting blocked, then feel free to post your feedback on the online forums: * [[http://forums.clarkconnect.com/postlist.php?Cat=0&Board=UBB4|Online Forums - Bandwidth]] ==== Links ==== * [[http://www.ipp2p.org/|IPP2P Web Site]] ===== Port Forwarding ===== ==== Overview ==== ^**Port Forwarding**^**Information**^ |Description|Tool for forwarding ports to systems on your local network.| |Package Name|cc-firewall| |Configuration Page|Network >> Firewall >> Port Forwarding| ==== Configuration ==== If you run servers //**behind**// your ClarkConnect gateway, you can use the //**Port Forwarding**// page to forward ports to a system on your local area network. In the example below, two port forwarding rules are configured: * A web server (port 80) is running on the LAN at 192.168.4.10 * SSH (port 22) is also running on 192.168.4.10. Since port 22 is already used on the gateway, we specify an alternate port (2222). We then configure our SSH client to use port 2222 to connect directly to 192.168.4.10 from the Internet. {{user_guide:4.2:dsr993z_60fxskc2fj_b.png}} ==== Troubleshooting ==== {{user_guide:4.2:dsr993z_61ggb5fng5_b.png}} In order for port forwarding to work properly. the target system on your local network //**must**// have the default gateway set to ClarkConnect system. In the adjacent screenshot, the configuration for a Windows system is shown. The default gateway in this case is 192.168.1.1 (the IP address of the ClarkConnect system). ===== Navigation ===== **Previous:** [[Network Settings]] | **Next:** [[Security]] || **Return:** [[.|Index]]