The Sophos Community will be unavailable from 13:00 to 18:00 UTC this Saturday, October 1st for upgrades. Stay tuned to our Twitter account @SophosSupport for updates.
Firewall rules (called Packet Filter rules in older versions) are used to define a policy of allowed and prohibited network traffic. Firewall rules may control traffic by protocol, ports, and IP addresses.
Firewall rules may be found in either the Network Security, or Network Protection menu option, depending on your version. A newly installed system will have no firewall rules created. The initial setup wizard may create several rules to allow certain types of traffic selected by the installer. All of these rules are to allow traffic.
While not shown, there is always an implied default drop rule,at the bottom of the rule list. This rule will drop and log all traffic which does not match any other rule.
When traffic is detected, firewall rules are checked in order, by position, until the first matching rule is found. If no matching rule is found, the packet is dropped and logged by the default drop rule. For this reason, the order of rules is important. Generally, more specific rules should come before more broad rules. For example, if you wished to allow traffic over a certain port from one host, but block that port for all other hosts, the allow rule for a single host should be listed before the blocking rule for all other hosts.
A. Group: The Group option is useful to group packet filter rules logically for readibility. It is only used for display purposes, it is not used for rule matching. B. Position: The position describes the priority of the rule. Lower numbers have higher priority, and rules are matched in ascending order. When a rule has been matched, processing stops, meaning that rules with a higher number will not be evaluated anymore. C. Source: The source network definition, describing from which source network/host(s) the service is orginating from. D.Service:The service definition that describes the protocol(s) and, in case of TCP or UDP, the source and destination port(s) of the packets. E. Destination:The destination network definition, describing the target host(s) or network(s) of the packets. F. Action: The action describes what to do with traffic matching the rule. The following can be selected: Allow: The connection is allowed and traffic is forwarded. Deny: Packets matching this rule will be silently dropped. Reject: Connections matching this rule will be actively rejected.
G. (Optional) Comment:You may add a descriptive note or other comment about this rule. H. Time Event: By default no time event is selected, meaning the rule is always valid. If you select a time event, the rule will only be valid at the time specified by the time event definition. For more information, see Time Events. I. Log Traffic: If you select this option, logging is enabled and packets matching the rule are logged in the packet filter log. J. Source MAC addresses: By default no MAC addresses are selected, meaning the rule will apply to all matching traffic. If you select a MAC address (which can be created in Definitions & Users >> Network Definitions >> Network Definitions) the rule will only be applied to traffic with the listed MAC address(es). Note, this feature was added in the 9.3 release so older versions will not have this option.
Automatic Firewall Rules
While the firewall section of the appliance is the primary place to create firewall rules, there are several other product features, which will create firewall rules automatically, if configured to do so. Rules created by the following features are created automatically, and are used above any user created firewall rules. Prior to 9.3 they are not visible in the firewall rules list, and are only viewable in their respective configuration section of WebAdmin. As of 9.3 they can be seen in the firewall rules list by changing the dropdown list to either, All, or Automatic Firewall rules.
When creating DNAT or SNAT rules, you may select automatic firewall rules, to ensure that rules are automatically created to allow the traffic described in the rule to be allowed through the firewall.
When creating a new server load balancing group, you may select automatic firewall rules, to ensure that rules are automatically created to allow access to the balanced servers through the firewall.
When the web proxy is enabled in transparent mode, hosts may be bypassed from being transparently intercepted. If Allow HTTP/S traffic for listed hosts/nets is selected, rules will be created to allow HTTP or HTTPS (if enabled) traffic to the internet.
If transparent mode is enabled in the SMTP proxy, and Allow SMTP traffic for listed hosts/nets is selected, then firewall rules will be automatically created to allow outbound port 25 access for all hosts listed.
When site-to-site IPSec or SSL VPNs are created, and Automatic Firewall Rules is selected, then firewall rules are created to allow connections from all local networks defined in the tunnel to all remote networks, ad from all remote networks to all local.
When remtoe access IPSec, SSL, or Coisco VPNs are created, and Automatic Firewall Rules is selected, then firewall rules are created to allow incoming connections access to all local networks defined in the tunnel.
Users are often tempted to create firewall rules to allow or deny traffic which is being handled by a proxy. This is unnecessary, since Astaro will create necessary rules to allow services on the system to do their job. For instance, user firewall rules will have no effect on proxied services, such as the web or SMTP proxies. For instance, a user might become aware of suspicious web activity to a certain IP address, and create a firewall rule to block that traffic. If the web traffic is going through the web protection proxy, then the proxy will have it's own rules that are checked above any user created rules, which will allow it outbound., To block access to a proxied target, you would need to use features in the web or email security module to restrict or allow access.
WebAdmin and End User Portal
When a network is listed in the allowed networks for WebAdmin or End User Portal access, rules are created above user created firewall rules, which would stop access to these services. Access to these services cannot be restricted by firewall rules.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.