From UntangleWiki

Contents 1 Why doesn't the Untangle Server's Firewall have rules enabled by default? 2 The default is pass all?! Why? Thats so insecure! 3 Can I have a firewall and still use NetMeeting? 4 How do I identify insecure ports? 5 We currently have a firewall, which lets us do port mapping. I don't see that feature in your Firewall. Will you be adding it, or is there an alternative? 6 I want to lock-down my network but for a few exceptions. What is the best way to do this? 7 Should I use pre-NAT or post-NAT addresses/ports in firewall rules? 8 How do I create a rule to log all traffic, inbound and outbound? 9 How come my firewall rules are not being triggered?

Why doesn't the Untangle Server's Firewall have rules enabled by default?

• When the Untangle Server is your router, it is performing NAT. NAT protects you from most threats.
• When the Untangle Server is a bridge, the Untangle Server is already behind a firewall. A firewall protects you from most threats.

The default is pass all?! Why? Thats so insecure!

As explained above, most Untangles are install in router mode meaning that NAT is being performed on traffic. This means all inbound traffic is blocked regardless of the settings in the Firewall app. Only explicitly port forwarded traffic goes inside your network. Alternatively, most bridge mode deployments are installed behind NAT devices so the Firewall app (and Untangle) will only see traffic thats already explicitly been blessed with a port forward in the external NAT device.

Given this, the "pass all" default really amounts in most scenarios to "block everything inbound, nothing outbound" which is the most common policy for most organizations. Given that most organizations run NAT, most of firewalls utility is for controlling outbound traffic (egress) and rules can easily be added to do that.

Can I have a firewall and still use NetMeeting?

Yes. However, on the Untangle Server, you need to pass specific protocols and open specific ports as outlined in Firewall. A Microsoft article, How to Establish NetMeeting Connections Through a Firewall, explains which protocols to pass and which ports to open.

How do I identify insecure ports?

There are free programs on the Internet that identify insecure ports. More information can be found here.

We currently have a firewall, which lets us do port mapping. I don't see that feature in your Firewall. Will you be adding it, or is there an alternative?

Port mapping (redirection or port forwarding) is a feature available in Networking configuration. Read more about port forwarding.

I want to lock-down my network but for a few exceptions. What is the best way to do this?

You can set the default behavior to block, as discussed in Anatomy of a Firewall Rule. Then, create a few rules to pass.

Should I use pre-NAT or post-NAT addresses/ports in firewall rules?

Firewall rules always match on the address which has more information. In other words if the entire internal network is being NATd from 192.168.*.* to 1.2.3.4, Firewall will match on the 192.168.*.* for traffic to and from this network. At the session layer this works out to be pre-NAT on source address, post-NAT on destination address, pre-NAT on source port, and post-NAT on destination port. An easy way to remember this is that it always matches where it gets the most information.

How do I create a rule to log all traffic, inbound and outbound?

You will need to create a rule with "any" with log check mark box checked.

How come my firewall rules are not being triggered?

Firewall rules work from top to bottom. Very first rule that the traffic matches, it will use that rule. So if you have an incorrect rule or a generic rule that the rule is matching, your other rules might not be triggered.