Firewall Overview

InterWorx Control Panel integrates with the APF iptables firewall system. Uses have fine grained control over the firewall configuation on the server, including individual port control, and global IP access and deny lists.

Table of Contents

  1. Manage FireWall Options
    1. Firewall Options Reference
  2. Trusted IP's
    1. Procedure - Add an IP Address
    2. Procedure - Remove an IP Address
  3. Firewall IP Address Reference
    1. Simple Syntax
    2. Advanced Syntax
  4. Manage Firewall Rules
    1. Procedure - Add a Port
    2. Procedure - Open a Port
    3. Procedure - Close a Port
    4. Procedure - Delete a Port

Manage FireWall Options

The following procedures explain how to configure firewall options using InterWorx Control Panel. The most common configuration options are exposed in the InterWorx Control Panel interface. As with many of the system services, a system administrator still retains the ability to configure the service by editing the configuration file directly.

Firewall Options Reference

Firewall Debug Mode
When Debug Mode is On, the firewall rules will automatically flush every 5 minutes. This allows you to test your firewall rules and prevent you from locking yourself out of your system. Once you have the firewall set up, turn debug off.

Default Type of Service
Setting this option affects network response. The following options are:

  • Minimum delay - Set this option when low latency (the time it takes for a data to travel from the source host to destination host) is most important.
  • Maximum throughput - Set this option when the volume of data transmitted in any period of time is important, and latency is less important.
  • Maximum reliability - Set this option when it is important that you have some certainty that the data will arrive at the destination without retransmission being required.

Linux Network Adminstrators Guide

TCP Drop Policy
Setting this option determines how TCP packets are filtered. The following options are:

  • Reset - Sends a tcp-reset. This is the TCP/IP default.
  • Drop - Drops the packet.
  • Reject - Rejects the packet.

UDP Drop Policy
Setting this option determines how UDP packets are filtered. The following options are:

  • Reset - Sends a tcp-reset response. This is the TCP/IP default.
  • Drop - Drops the packet.
  • Reject - Rejects the packet.
  • Prohibit - Sends an icmp-host-prohibited response.

Block Multicasting
Set this option if you intend to participate in the MBONE, a high bandwidth network on top of the Internet which carries audio and video broadcasts.

More about MBONE

Block Private Networks
Set this option to block all private IPv4 addresses. Leave this option off if this host resides behind a firewall with NAT or routing scheme that otherwise uses private addressing.

Maximum Sessions
This is the maximum number of "sessions" (connection tracking entries) that can be handled simultaneously by the firewall in kernel memory. Increasing this value too high will simply waste memory; setting it too low may result in some or all connections being refused, in paticular during denial of service attacks.

Sysctl TCP
These are sysctl hook changes to further harden the kernel from network attack trends by lowering standard time-out values and other time based packet responses.

Procedure
  1. Click the Icon Server menu item if it is not already open.
  2. Click the Icon Firewall menu item.
  3. Locate the Firewall Information section.
  4. Change the option(s) you wish to update to the desired value(s).
  5. Click the button.

Trusted IP's

The following procedures explain how to add Trusted IPs and Blocked IPs to the firewall configuration. Trusted IPs will be allowed through the firewall across all ports, while Blocked IPs will be denied access across all ports. IPs not listed in either Trusted IPs or Blocked IPs will be subject to the per-port rules in the Port Access section.

Procedure - Add an IP Address

  1. Click the Icon Server menu item if it is not already open.
  2. Click the Icon Firewall menu item.
  3. Locate the Global IP Access Control section.
  4. Add the IPs, one per line, you wish to trust to the Trusted IPs box.
  5. Add the IPs, one per line, you wish to block to the Block IPs box.
  6. Click the button.
  7. You will see the following message at the top of the screen: List of trusted and/or blocked IPs was updated
You will trigger an error if you try to add the same IP address to both the Trusted IPs and Blocked IPs list

Procedure - Remove an IP Address

  1. Click the Icon Server menu item if it is not already open.
  2. Click the Icon Firewall menu item.
  3. Locate the Global IP Access Control section.
  4. Remove the IPs, one per line, you no longer wish to trust from the Trusted IPs box.
  5. Remove the IPs, one per line, you no longer wish to block from the Block IPs box.
  6. Click the button.
  7. You will see the following message at the top of the screen: List of trusted and/or blocked IPs was updated

Firewall IP Address Reference

Simple Syntax

  1. The simplest syntax is just a single valid IP address. For example, 192.168.1.10 and 169.254.43.11 are valid entries.
  2. You can also enter masked IP addresses which allows you to cover an entire range of IPs. For example, 10.0.1.0/24 and 192.0.0.0/8 are valid entries.

Advanced Syntax

The advanced IP syntax not only gives you control over the IP address, but also the protocol (udp or tcp), flow direction (inbound or outbound), and port. The advanced syntax is:

protocol:flow:port:ip
  1. protocol: Either udp or tcp. protocol is optional, and if not given, tcp is assumed.
  2. flow: in or out. If protocol is given, then flow is required, otherwise flow is optional. If flow is not given, in is assumed.
  3. s/d=port: A single port number. You must also specify if the port is the source port (s=), where the packet originates from, or the destination port (d=), where the packet will end up.
  4. s/d=ip: A valid IP address. You may use an IP address or an IP address and mask. You must also specify if the IP address is the source IP (s=), where the packet originates from, or the destination IP (d=), where the packet will end up.
Example 1

Inbound TCP to destination port 3306 from 172.60.32.0/24 

d=3306:s=172.60.32.0/24
Example 2

Inbound TCP from port 3000 from 24.202.16.11 

s=3000:s=24.202.16.11
Example 3

Outbound TCP to destination port 22 to destination host 65.114.132.9 

out:d=22:d=65.114.132.9
Example 4

Inbound UDP to destination port 1024 from destination host 43.213.13.20 

udp:in:d=20:s=43.213.13.20

Manage Firewall Rules

The following procedures explain how to manage custom port access rules. You can add new open ports, and edit, close, or delete existing ports.

Procedure - Add a Port

  1. Click the Icon Server menu item if it is not already open.
  2. Click the Icon Firewall menu item.
  3. Locate the Port Access section.
  4. Type in the port number you wish to open in the textbox beneath the Port column.
  5. Open or Close the following four options: TCP In, TCP Out, UDP In, and UDP Out.
  6. Click the button.
  7. You will see the following message at the top of the screen: The following port was added:

Procedure - Open a Port

  1. Click the Icon Server menu item if it is not already open.
  2. Click the Icon Firewall menu item.
  3. Locate the Port Access section.
  4. You will see a list of all the ports that are currently open in some state or another, with four drop-down lists corresponding to TCP In, TCP Out, UDP In, and UDP Out.
  5. Choose Open for the protocols you wish to open. For example, if you wish to open incoming and outgoing TCP choose Open for both drop-down lists.
  6. Select Commit Changes from the drop-down list at the bottom of the table.
  7. You will see the following message at the top of the screen: Ports configuration updated:

Procedure - Close a Port

  1. Click the Icon Server menu item if it is not already open.
  2. Click the Icon Firewall menu item.
  3. Locate the Port Access section.
  4. You will see a list of all the ports that are currently open in some state or another, with four drop-down lists corresponding to TCP In, TCP Out, UDP In, and UDP Out.
  5. Choose Closed for the protocols you wish to close. For example, if you wish to close incoming and outgoing UDP choose Closed for both drop-down lists.
  6. Select Commit Changes from the drop-down list at the bottom of the table.
  7. You will see the following message at the top of the screen: Ports configuration updated:
Setting all four options to Closed essentially deletes the port.

Procedure - Delete a Port

  1. Click the Icon Server menu item if it is not already open.
  2. Click the Icon Firewall menu item.
  3. Locate the Port Access section.
  4. You will see a list of all the ports that are currently open in some state or another, with a checkbox next to each.
  5. Mark the checkboxes for the ports you would like to delete. You may also click [ Check All ] to select all the ports with a single click.
  6. Select Delete from the drop-down list at the bottom of the table.
  7. You will see the following message at the top of the screen: Ports deleted from configuration:
The NodeWorx interface will always display a default list of commonly used ports. Deleting a commonly used port will not remove it from the table, but instead show the port as closed across all four options.