![Untangle Networks [home]](http://www.untangle.com/templates/untangle_networks_template_950px/images/untangle_logo.gif){kind=logo}
Firewall FAQs
From UntangleWiki
Why doesn't the Untangle Server's Firewall have rules enabled by default?
- When the Untangle Server is your router, it is performing NAT. NAT protects you from most threats.
- When the Untangle Server is a bridge, the Untangle Server is already behind a firewall. A firewall protects you from most threats.
Can I have a firewall and still use NetMeeting?
Yes. However, on the Untangle Server, you need to pass specific protocols and open specific ports as outlined in Firewall. A Microsoft article, How to Establish NetMeeting Connections Through a Firewall, explains which protocols to pass and which ports to open.
How do I identify unsecure ports?
There are free programs on the Internet that identify unsecure ports. To learn about one, go to Protecting Your Network by Securing Ports.
We currently have a firewall, which lets us do port mapping. I don't see that feature in your Firewall. Will you be adding it, or is there an alternative?
Port mapping (redirection) is a feature of the Router.
I want to lock-down my network but for a few exceptions. What is the best way to do this?
You can set the default behavior to block, as discussed in Firewall. Then, create a few rules to pass.
How can I block outbound SMTP?
Often administrators would like to block all outbound port 25 except from the mail server. To do so first you must remove the outbound port 25 policy rule so that outbound port 25 traffic goes through the rack in question. Then you need to create a rule to block all port 25 traffic with Destination Interface External then you need to create a rule just above that passes outbound port 25 traffic where the client is your email server. Beware, this means that mail coming from your mail server now goes through the rack and may be scanned by Spam Blocker, Phish Blocker, etc. Alternatively, You can add a rule in firewall blocking all port 25 traffic and then add a policy manager rule sending all outbound port 25 traffic from the email server to ">No Rack."
Should I use pre-NAT or post-NAT addresses in firewall rules?
Firewall rules always match on the address which has more information. In other words if the entire internal network is being NATd from 192.168.*.* to 1.2.3.4, Firewall will match on the 192.168.*.* for traffic to and from this network. At the session layer this works out to be pre-NAT on source address and post-NAT on destination address.
