- 1 About Firewall
- 2 Settings
- 3 Reports
- 4 Related Topics
- 5 Firewall FAQs
- 5.1 Why doesn't the Untangle Server's Firewall have any rules enabled by default?
- 5.2 The default is pass all?! Why? That's so insecure!
- 5.3 Where do I add Port Forwards?
- 5.4 I want to lock-down my network but for a few exceptions. What is the best way to do this?
- 5.5 Why are my Firewall rules not being triggered?
- 5.6 Should I use pre-NAT or post-NAT addresses/ports in firewall rules?
- 5.7 I'm trying to use Firewall to filter Untangle administration access or SSH or local services. Its not working, why?
- 5.8 Does Firewall use iptables?
Firewall provides traditional firewall functionality, blocking and/or flagging traffic based on rules.
The term "Firewall" has grown to encompass many functionalities and has a wide case of uses. The "firewall" is often use interchangably with "router" "gateway" and "UTM" or "Unified Threat Management" Even the Untangle NGFW is a "next-gen" "firewall." There are also host-based "firewalls" that run on the local host computer.
The "Firewall" app itself is a traditional firewall used to block and/or flag TCP and UDP sessions passing through Untangle using rules. The Firewall app provides the same functionality as the traditional "firewall" - the ability to use rules to control which computers and communicate on a network.
This section reviews the different settings and configuration options available for Firewall.
This displays the current status and some statistics.
The Rules tab allows you to specify rules to Block, Pass or Flag traffic that crosses the Untangle.
The Rules documentation describes how rules work and how they are configured. Firewall uses rules to determine to block/pass the specific session, and if the sessions is flagged. Flagging a session marks it in the logs for reviewing in the event logs or reports, but has no direct effect on the network traffic.
Typically Untangle is installed as a NAT/gateway device, or behind another NAT/gateway device in bridge mode. In this scenario all inbound sessions are blocked by NAT except those explicitly allowed with port forwards. Because of this, the Firewall does not block anything by default. It is up to you to decide to best fit for your network, whether you only want to block specific ports or you want to block everything and allow only a few services.
- Pass: Allows the traffic which matched the rule to flow.
- Block: Blocks the traffic which matched the rule.
Additionally a session can be flagged. If Flag is checked the event is flagged for easier viewing in the event log. Flag is always enabled if the action is Block.
The Reports tab provides a view of all reports and events for all traffic handled by Firewall.
This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.
Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.
Pre-defined report queries:
|Firewall Summary||A summary of firewall actions.|
|Scanned Sessions||The amount of scanned, flagged, and blocked sessions over time.|
|Top Scanned Hostnames||The number of scanned session grouped by hostname.|
|Top Flagged Hostnames||The number of flagged session grouped by hostname.|
|Top Blocked Hostnames||The number of blocked sessions grouped by hostname.|
|Top Scanned Clients||The number of scanned session grouped by client.|
|Top Flagged Clients||The number of flagged session grouped by client.|
|Top Blocked Clients||The number of flagged session grouped by client.|
|Top Scanned Usernames||The number of scanned session grouped by username.|
|Top Flagged Usernames||The number of flagged session grouped by username.|
|Top Blocked Usernames||The number of flagged session grouped by username.|
|Top Scanned Server Ports||The number of scanned session grouped by server (destination) port.|
|Top Flagged Server Ports||The number of flagged session grouped by server (destination) port.|
|Top Blocked Server Ports||The number of flagged session grouped by server (destination) port.|
|All Events||All events scanned by Firewall App.|
|Flagged Events||Events flagged by Firewall App.|
|Blocked Events||Events blocked by Firewall App.|
The tables queried to render these reports:
Why doesn't the Untangle Server's Firewall have any rules enabled by default?
When Untangle is in router mode, it is performing NAT, which blocks all inbound sessions. When Untangle is in bridge mode, the Untangle Server is already behind a firewall, which is doing NAT.
The default is pass all?! Why? That's so insecure!
As explained above, most Untangle boxes are install in router mode meaning that NAT is being performed on traffic. This means all inbound traffic is blocked regardless of the settings in the Firewall, only explicitly port forwarded traffic goes inside your network. Alternatively, most bridge mode deployments are installed behind a NAT device so the Firewall app (and Untangle) will only see traffic that has already explicitly been passed with a port forward on the NAT device. What this means is that the "pass all" default in most scenarios means "block everything inbound but nothing outbound", which is common policy for a lot of organizations. In our opinion most of the Firewall's utility is for controlling outbound traffic, however you are free to add rules controlling inbound, outbound or any other type of traffic you wish.
Where do I add Port Forwards?
I want to lock-down my network but for a few exceptions. What is the best way to do this?
Simply add a rule with no qualifiers, set it to Block, and put it at the bottom of the list. This will match all traffic, so anything not explicitly passed in a rule above it will be blocked.
Why are my Firewall rules not being triggered?
Firewall rules work from top to bottom; the first rule that the traffic matches will fire. If you have a broad rule near the top of your list that is matching, no other rules will be evaluated.
Should I use pre-NAT or post-NAT addresses/ports in firewall rules?
Firewall rules always match on the address which has more information. In other words if the entire internal network is being NATd from 192.168.*.* to 22.214.171.124, Firewall will match on the 192.168.*.* for traffic to and from this network. At the session layer this works out to be pre-NAT on source address, post-NAT on destination address, pre-NAT on source port, and post-NAT on destination port. An easy way to remember this is that it always matches where it gets the most information.
I'm trying to use Firewall to filter Untangle administration access or SSH or local services. Its not working, why?
Firewall processing only TCP and UDP sessions going *through* Untangle. In order to filter/control sessions going to Untangle itself you will need to use Access Rules in Config > Network > Advanced > Access Rules.
Does Firewall use iptables?
No. Firewall has nothing to do with iptables. Firewall rules are not iptables rules.