User Interface / Firewall Rule Settings
Parent topic: Firewall Rule Settings

Creating a firewall rule

Use the steps below to create a firewall rule:

  1. In the Rules tab of the Connection editing window, select at least one service to which the firewall rule should apply. A list of the services to which the firewall rule can be applied is displayed in the bar on the right-hand side of the browser window. The bar is divided into categories of services which are grouped by function. The categories can be expanded and collapsed with a click on the corresponding icon. Please refer to Icons and buttons for further information. With the help of the Filter input field with the service selection list at the top of the bar, you can quickly and easily find a specific service or group of services. As you type your search term into the field, your LANCOM R&S®Unified Firewall will only display the services and service groups that contain the characters you entered. Click on in the input field to delete the search input and return to the unfiltered list view.
    1. There are two ways to add services to a firewall rule:
      • To add an individual service, click the button in front of the respective service in the bar with the service selection list.
      • To add all of the services in a category at the same time, click the button (add filtered services) directly under the title of the relevant category.
      The selected services are shown in the table on the Rules tab. In addition, the rules that are configured between parent objects are also displayed. These inherited rules cannot be edited directly. However, by clicking on the name of the rule, the settings for these rules can be viewed. In the Edit / Inherited from column, instead of the edit buttons, the names of the connections from which these rules are used are displayed. By clicking on these names, the corresponding connection can be opened directly. You can use the filter function to limit the display of rules so that you can more quickly determine whether a particular rule already exists. Filter criteria are
      • Text for names, rule names, connection names and protocols
      • Numbers for port and port ranges
      • Booleans e.g. for DMZ, proxy or NAT
    2. To edit the settings for a firewall rule, click the button (click to edit this rule).
    An editing window for the service opens.
  2. In the editing window you can view the following information and configure the following elements of the firewall rule:
    1. Under Description you enter additional information about the firewall rule for internal use.
    2. On the Ports / Protocols tab you can see which ports and protocols have been set for the service to use. Please refer to Services for further information.
    3. On the Schedule tab you can specify the times when the firewall rule is active. The tab has the following options:
      • Use the sliders to set specific times and days of the week.
      • Clicking Always On enables the rule permanently.
      • Clicking Always Off disables the rule permanently.
    4. The tab for the settings under Advanced has the following options:
      Input box Description
      Proxy For predefined firewall rules with predefined services, only if the predefined services allow a proxy (HTTP, HTTPS, FTP, SMTP, SMTPS, IMAP, IMAPS, POP3 or POP3S): Set a checkmark in this box to enable the proxy for this rule. For firewall rules with customized services only: Select a proxy for this rule from the drop-down list. To remove the proxy, click on the right-hand side of the selected proxy.
      NAT Choose from the following options:
      • Use Connection Settings – With this setting you use NAT settings made on the NAT tab.
      • Use Service Specific Settings – This setting allows you to determine the NAT settings for each service. The settings described below are displayed for this purpose.
      NAT / Masquerading Specify the desired direction for NAT/masquerading (bi-directional, left-to-right, or right-to-left), or disable the function for that rule (Off) by selecting the appropriate radio button. The default setting depends on the source and destination objects selected for the connection.
      NAT Source IP Optional: If you have multiple outgoing IP addresses, specify the IP address to use for the source NAT. If no IP address is specified, the system automatically selects the main IP address of the outgoing interface.
      Enable DMZ / Port Forwarding for this service If a single host object is the destination of the firewall rule, you can set a checkmark in this box to enable DMZ and port forwarding for this rule.
      External IP address Optional: Enter the destination IP address of the data being processed. The DMZ rule is applied to this traffic only. This IP address has to be one of the IP addresses of the firewall.
      External Port Displays the original destination port of the traffic being processed depending on the port specified on the Ports / Protocols tab.
      Destination IP address Displays the new destination IP address for the traffic (after processing).
      Destination Port Optional: Specify the destination port of the traffic (after processing).
    5. The tab for the settings under Traffic Shaping has the following options:
      Input box Description
      Traffic Shaping Choose from the following options:
      • Use Connection Settings – This setting applies the traffic shaping settings made on connection level. See Desktop connection settings.
      • Use Service Specific Settings – This setting allows you to adjust the settings for traffic shaping for each service. The settings described below are displayed for this purpose.
      Traffic Group Optionally select the name of a traffic group. This applies the rules defined for this group to traffic on this connection. See also Traffic shaping.
      Note: If it is a route-based IPsec tunnel, traffic within a tunnel can be prioritized using a custom shaping configuration.
      Outgoing DSCP From the list, select an optional DSCP value for outbound data traffic. The list contains the designations from the relevant RFCs (e.g. "CS0") and the group (e.g. "Default"). Also, the value is numerically represented in various bases (binary, hexadecimal, and decimal). The list can be searched according to these representations, so that you can quickly find the desired value regardless of your preferred representation.
    6. Use the buttons in the lower right-hand corner of the editing window to save your changes to an existing rule (OK), cancel the editing of an existing rule (Cancel), and discard your changes (Reset).
    The configured rules are shown in the table on the Rules tab. To delete a rule from the table, click the button (Click to delete this rule) in the final column.
  3. For further information about the URL / Content Filter, Application Filter and NAT tabs, see Desktop Connections
  4. Use the buttons in the lower right-hand corner of the editing window to close the edit dialog (Close) if you have made no changes, or to save your changes (Save) or discard them (Reset).
  5. Click Activate in the toolbar at the top of the desktop to apply your configuration changes.

Please refer to Icons and buttons for further information.

Parent topic: Firewall Rule Settings

www.lancom-systems.com

LANCOM Systems GmbH | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E-Mail info@lancom.de

LANCOM Logo