Firewall manager is the Core-Admin application that will allow you to manage your server firewall. It can be used like to administrate the server firewall, or as a firewall acting as a router/gateway for your network.
- 2Before starting: a few notes about how firewall manager works
- 3How to use it
- 3.1Host groups
- 3.2MAC rules
- 3.3NAT rules
- 3.3.1Source NAT
- 3.3.2Destination NAT
- 3.3.3Controlling and limiting the NAT to the source address
- 3.3.4Controlling and limiting the NAT to the source / destination address that began the conection
- 3.4Interface rules
- 3.4.1Interface rules: authorise output traffic (client)
- 3.4.2Interface rules: authorise in traffic (server)
- 3.4.3Interface rules: configure a rule for a certain period of time
- 3.4.4Interface rules: modification log
- 3.5Route rules
- 3.6Setting up ports: ranges, ports and services
- 3.8Blocked traffic monitor
- 3.8.1Authorise the traffic from the blocked traffic monitor
- 3.9Modification log
- 4Core-Admin command line integration
- 5Core-Admin Python API integration
Firewall manager is based on iptables with a progressive load design, that includes and supports all the regular managment options of a firewall. Moreover, it has support for load balancing, label oriented rule management, change logs and easy support to create rules out of recorded blocked traffic.
Before starting: a few notes about how firewall manager works
Using firewall manager application we can do severals regular actions like:
- Interface rules, manage rules to control the traffic that goes in or out of the machine/device. This means, traffic that is generated from the machine or the traffic that is received by the machine (when acting as a server).
- Route rules, manage rules to control the traffic that goes through the machine, going into an interface and comming out another (both can be the same). Under this section, we can manage all the rules that are needed to authorise the traffic to the networks controlled by the firewall, in case we are using the server/device as a security router/gateway
- Host groups labels: generally, it is recommended to define host groups, both source and/or destination in the “Host groups” section. This way you can use these labels to limit the source or destination that the rule applies. This way, the firewall managment is more maintainable and readable. At the same time, the firewall manager will update all the rules, selectively, when the content of the labels are updated. If the host groups are well defined, the firewall management is simplified. You only have to remove or add the ip address on those host groups to have your firewall properly updated.
- Default blocking, the firewall design works blocking by default. So, you will have to define the authorised traffic. It means a disabled-by-default policy.
- Easy traffic unblock, remember you can always go to “Blocked traffic monitor” section to visualise the traffic that has been blocked in the past. Once selected, you only have to click on the record your are interested in and ask for the rule creation, reusing proposed port, source and/or destination. We will explain this in detail later.
- Load balancing, will allow you to make your firewall to use two or more connections to balance the output. We recommend you to make everything work for one connection (default mode) and then activate the connection balance at the end.
- MAC control: remember that you can install a MAC control for local network machines or local networks where your firewall is connected. This way, you can control, physically, the machines that can access to the firewall and ask for the routing traffic because they have to be MAC authorised first (Media Access Control – MAC address)
How to use it
Once the application is installed, we can click on it from the panel and click on any section inside the application to force the firewall to detect all running services and install a default rule set you can start working with:
Firewall manager will install by default a basic rule set to ensure your server/device will be able to keep on working by detecting all common services. This may take a few seconds. After that, refine and personalise your firewall rule set.
After the application starts we will get the next interface, where we can do the following actions:
- Host groups, we edit here host groups that will be used as tags inside the rule set we will define
- MAC rules, to manage authorised MACs and authorised IPs from these MACs
- NAT rules, to install NAT rules that will allow you configure port redirections or mask the nextwork behind firewall’s IP
- Interface rules, to manage the rules to authorise the traffic that comes in or goes out of the machine
- Route rules, to manage the rules to authorise the traffic that goes through the machine
- Blocked traffic monitor, where we can visualise the blocked traffic
- Modification log, where we can visualise a registry with all the actions done to the firewall.
Next we will show different use cases to explain how to use Firewall manager.
To manage host groups, click on it
To create a host group, we click on Add Host group and fill in next fields
- Name of the host group, it is a label for the group
- The hosts that belong to the group, following next options,
- Single ips, white space separated, for example: 192.168.1.1 192.168.1.2
- You can also negate some addresses by appending !, for example: ! 192.168.1.2 ! 192.168.1.1
- Ip ranges, for example: 192.168.1.20-192.168.1.40
- You can setup network ranges like: 192.168.1.0/24
- You can also use hostnames (but it is highly not recommended because those values are translated at the time the rule is setup and may become out of date)
- You can use host group tags like: [admin_ips] (see host groups section to setup host tags).
- In case it is needed, we add an aditional comment about its funcionality
next, we click on Create a new Host group, and that’s it.
After the host group is created, you use it by using the tag proposed inside source or destination fields while defining firewall rules. In this case, the tag created will be: [group1]
We go to MAC rules section and click on Add Mac rule. We fill next fields on the interface
- Mac, machine MAC address, group of six pairs of hexadecimal codes separated by “:”, for example: 00:18:20:01:63:47
- Allowed IPs, it will allow you to define the authorised IPs to be used from the MAC defined. If you do not input any IP, there will be no restriction and the MAC defined could use any IP.
- We can add a comment to identify the action.
Next we click on Create a new Mac rule.
We go to NAT rules and click on Add Nat rule,
Nat rules are only address rewriters, they do not authorise traffic. The traffic authorization is done after, in the interface or route rules sections, depending on the traffic you are authorizing.
Next, we show some use cases for different NAT types.
NAT to re-write the address of the packages coming out, it means, make the traffic appears like if the origin is the firewall. We configure this rule when we want the firewall/router IP to appear as the source address in all or part of the traffic going through or generated from the firewall.
The basic configuration for a source NAT includes:
- We set the NAT type like: “to source”.
- The NAT address (it must be a firewall IP).
- Choose the option: Apply on outface
- We choose the Outface
NAT for port mapping. This kind of NAT is used to be able to give access to internal services behind the firewall, for example a local web server. This way they can be accessible from the internet.
The basic configuration for a destination NAT includes:
- We set the nat type like: “to destination”.
- The NAT address (it must be a firewall IP).
- Choose the option: Apply on inface to indicate where the conection will come in.
- We chose the Inface
- Then we specify the ports or port ranges (for example, 22 o 20000:30000), as well as the protocol in the options: NAT port mapping
Controlling and limiting the NAT to the source address
Next indication only apply to NAT type “to destination”
Once we have defined our basic NAT rules, both source NAT (“to source”) and destination NAT (“to destination”), you can do additional configuration to provide more security and control to your rule, by specifying the source address that would apply to the NAT rule added.
Next an example is showed, where only the group “[authorised_ips_in]“ will have access because the NAT rule only apply to them. If the source IP is not in the host group, the NAT will not be applied and it will not have the authorization to access to the service.
In other words, if the entries for Source address and/or Destination address are empty, the firewall will not apply any restriction neither in the source, nor in the destination.
Controlling and limiting the NAT to the source / destination address that began the conection
Next indication can apply to both NAT type “to source” and “to destination”
For the case of Source NAT (to source) it is possible to configure when it is going to be applied the NAT rule: when the source adderss matches to the connection source and/or when it also matches the destination address as shown in the next picture:
It is not necessary to configure both values, is just a option you might want to use. If you need to limit the NAT only in the source address or only in the destination address, just configure the values on those sections.
In this section you can configure all the rules needed to authorise the traffic that is coming in or going out of the server/device. If you are using a local firewall for a server (not for a router/gateway), then you will use this section frequently.
The rules to authorise the traffic are classified in:
- client : they are all the rules to authorise the traffic that is origined from the server/device, it means, the server/device appear like a“client” of a external service.
For example, if you need to authorise a ssh conection from a server to outside, then you need to create a “client” rule.
- server : they are all the rules to authorise the traffic that will be received in the server/device, it means, if you have a web service and you want to authorise to receive connections on it, you will create a “server” rule.
Next you can find some examples about how to create interface rules.
Next, it is showed how to authorise the traffic to the port 8888, to the machines (or machines) located in [web_service_address] and leaving empty the field Source address:
Next, it is showed how to authorise the traffic to the in port 8443 in case we have a service executing on that port (like a web server). Moreover, we configure the rule without limit the sources (Source address) in a way that the service is public, without any restrictions:
If for security reasons, we need to limit the access to that service, we will have to configure the source address authorised in the field: Source address
Interface rules: configure a rule for a certain period of time
By default, all created rules are permanent. Optionally you have the possibility to configure a period over which the rule will be in place. For example, if you need to authorise the traffic for 2 hours, go to “Timing options” tab and write (in seconds) the time and change to temporal the rule type.
Interface rules: modification log
Inside the rules created, you can visualise the modification log. You can know the user that changed the rule and when it happened,
Route rules will allow you to authorise the traffic through the firewall, it means, traffic that routes through the server, going in by an interface and comming out by another (the could be the same)
To authorise the route traffic, you have to define, at least, on destination direction or directions, as well as the inface and outface. If you do not want to configure those interface, you can use the value “any”.
Next, an example shows how to authorise route traffic to connect with port 80 (web http):
If you want to specify the rule to indicate the source traffic, you only have to edit the rule and adjust the interface as well as the source address of this traffic:
Setting up ports: ranges, ports and services
Remember you can use these formats to configure the ports on the interface and route rules:
- Single port: for example: 80
- A group of ports: 80,443,1443
- A range of ports: 20000:30000
- You can use services names like: http,https,smtp
- Or mix everything like: 80,443,smtp,smtps,20000:30000
In this section you can find integrated the blocked IP database given by IP blocker application of Core-Admin. Read more about this section. The database is unified: if you make a modification in the firewall manager and it will be also available in the IP blocker application and vice versa.
Blocked traffic monitor
The blocked traffic monitor has two main goals:
- Know the blocked traffic to better assist and help with the firewall managment
- Allow a quick authorization by creating rules from the blocked traffic.
To visualise the blocked traffic, order by volume, showing first the traffic that has been blocked more times, you only have to click on blocked traffic monitor:
Authorise the traffic from the blocked traffic monitor
You only have to select the blocked traffic and click on “Unblock traffic“
The application will show a new tab where you can specify the new rule, with its features:
In the modification log you have an history with all the interface, route, mac and nat rules as well as host groups labels that have been created / edit / removed, with the modified date and the author of them.
Core-Admin command line integration
Use the following general command to interact with the core-admin firewall manager through command line:
>> crad-firewall.pyc –help
To get firewall status, restart or stop it use
>> crad-firewall.pyc –status
>> crad-firewall.pyc –reload
>> crad-firewall.pyc –stop-firewall
>> crad-firewall.pyc –start-firewall
At the same time, to list current rules installed, just run:
>> crad-firewall.pyc –list-rules
Core-Admin Python API integration
Firewall manager can be accessed loading the application module like this:
# import firewall manager module from core_admin_agent import application m = application._import ("firewall_manager") if not m: return (False, "Unable to import firewall manager, it is not deployed on this system")
Now, to list all interface rules installed use the following:
# call to get interface rules (status, rules) = application.call (m, "list_interface_rules") if not status: return (False, "Unable to list interface rules, error was: %s" % rules) for rule in rules: print "Rule id %d : %s" % (rule['id'], rule)