Setting up Firewall Rules

From our SeGuard portal you can setup custom firewall rules. These Rules have effect only during attack.

You can setup Firewall from SeGuard Portal under Firewall Rules section on right menù.

If you press Active Firewall Rules tab you can displays all firewall rules generated automatically by Filters or manually by Console users.

Customers can add or delete firewall rules manually. To add a new Firewall Rule click the <Create Firewall Rule> button. You will have to apply the firewall rule using a software firewall (1st option - Chelsio Firewall can't be customized at the moment).

The <Remove All> button deletes all firewall rules from the UI without updating the actual firewall.

 

The Create Software Firewall Rule window provides the following options:

 

  • Rule Description – A short name that will help you identify the firewall rule. This is the only mandatory field.

  • Direction – Select Inbound to match packets entering your network (through interfaces defined as
    Inbound in the Filter Configuration window). Outbound is not working as we divert only incoming traffic

  • Filter(s) – Select the Filters that must apply the firewall rule, according to their configuration (Interfaces, Netfilter Chain, Netfilter Table).

  • IP Protocol(s) – Select one or more IP protocols, or Any to match all packets.

  • Src/Dst IP/mask – Enter to match packets by their source or destination IP blocks. The mask is optional
    (defaults to /32 for IPv4 and /128 for IPv6).

  • Src/Dst Port(s) – This field is available only for the following IP protocols: TCP, UDP, UDPLITE, DCCP and
    SCTP. It matches a set of source or destination ports. Up to 15 ports can be specified (e.g. 53,
    1024:65535 would match ports 53 and all from 1024 through 65535).

  • IP Packet Length– It is used to match the length of the layer-3 payload (e.g. layer-4 packet) of packets against a specific value or range of values separated by “:”.

  • IP TimeToLive – It is used to match the time to live (TTL) field in the IP header. If the value is preceded
    by “>” then the traffic will be matched if TTL is greater than the given TTL value. If the value is preceded
    by “<” then the traffic will be matched if TTL is less than the given TTL value.

  • TCP Flags Set/Unset – Select the TCP flags that must be explicitly set and/or unset. TCP flags not
    enabled in either fields are ignored by the packet matching mechanism.

  • Payload Content – Enter to match a string anywhere in the packet. Use this match with caution as it
    consumes a lot of CPU resources and can cause packet loss.

  • Country(ies) – Select to match packets by their country.

  • Firewall Policy – Select the Software Firewall policy applied for the matched packets:
    ◦ Drop – blocks packets and makes the connection appear to be to an unoccupied IP address
    ◦ Reject – blocks packets and sends an ICMP packet indicating the port is unavailable
    ◦ Accept – allows packets through the firewall
    ◦ Rate Limit – allows a limited number of packets through the firewall

  • Rate Limit – You can use this parameter to limit rate of packets / time unit to a predefined value. If the
    value ends with the character “b” then the rate-limiting is applied for bytes not packets.

  • Rate Limit Hashing – You can apply the rate-limiting globally, to a single object ( Src. IP, Src. Port, Dst. IP
    or Dst. Port) or to any combination of objects. If the rate-limiting should be connection-oriented, select
    all objects. To rate-limit the packet or byte rate of each source IP, select the Src. IP object.

  • Rule Active Until – Select Manually deleted to apply the firewall rule indefinitely. Select the other
    options to delete the firewall rule after a predefined condition.

Was this article helpful?
Dislike0 Like0

Views: 1298