Loading ...
Loading ...
Loading ...
100
5. Firewall, Failover and OOB Access
5.8.5 Packet State Matching in Firewall Rules
As of firmware version 4.0.0, firewall rules can include packet state matching. This is implemented using an iptables
extension module and can be set as follows:
Navigate to System > Firewall > Firewall Rules.
In either the IPv4 or IPv6 section, click the New Firewall Rule button.
Enter a Name for the new rule in the Name field.
Select the interface the new rule will be applied against from the Interface pop-up menu.
Note: the available interfaces vary depending on the exact hardware available on the console server. By default, new firewall rules are
applied against Any (i.e. all) available interface.
If the selected interface operates the TCP or UDP protocol, enter a port or port range of the rule’s destination.
If the firewall rule is to apply against a particular MAC address, enter this value in the Source MAC address field. MAC
addresses must be entered in standard xx:xx:xx:xx:xx:xx format (where each xx is a hexadecimal value).
If the firewall rule is to apply against a particular source address or range of source addresses, enter this address or address
range in the Source Address/Address Range field. Address ranges can be entered using the ip-address/netmask syntax.
If the firewall rule is to apply to a particular destination address or address range, enter this address or address range in the
Destination Address/Address Range field. As with the Source Address/Address Range field, address ranges can be entered
using the ip-address/netmask syntax.
Set the data protocol against which firewall rule will apply. By default, new firewall rules apply against the TCP protocol.
Set the direction of data travel against which firewall rule will apply. This setting can take one of two values: Ingress or Egress.
The default is Ingress. Ingress means data arriving at an interface from elsewhere. Egress means data leaving an interface and
going to elsewhere.
Select the desired packet state to match against from the Connection State pop-up menu. Available options are New,
Established/Related and Any. The default option is Any.
Note: The default option leaves packet state matching inactive. With this option, no extra specifications are added to the firewall rule.
Select the desired action to be taken regarding packets of the chosen state from the Action pop-up menu. The two available
options are Block and Accept. The default action is Block.
Click the Save button. Using the Connection State pop-up menu in System > Firewall > Firewall Rules > IPv4 > New
Firewall Rule to set packet state matching to New or Established/Related is equivalent to running one of the following at a
shell-prompt:
# iptables -m state --state NEW
# iptables -m state --state \
ESTABLISHED,RELATED
For example:
# iptables -I INPUT -p tcp --dport 23 -m state --state \
ESTABLISHED,RELATED -j ACCEPT
This tells the firewall to accept incoming Telnet traffic for previously established Telnet sessions.
If the rule is created in IPv6 > New Firewall Rule, it is the equivalent of running one of the following at a shell-prompt:
# ip6tables -m state --state NEW
# ip6tables -m state --state ESTABLISHED,RELATED
For example:
# ip6tables -I INPUT -p tcp --dport 23 -m state --state \
ESTABLISHED,RELATED -j ACCEPT
As with the iptables example, this tells the firewall to accept incoming telnet traffic for previously established telnet sessions.
For more on iptables, ip6tables and iptables-extensions, see the respective man pages: iptables, ip6tables and iptables-
extensions.
Loading ...
Loading ...
Loading ...