NethServer Enterprise can act as firewall and gateway inside the network where is installed. All traffic between computers on the local network and the Internet passes through the server that decides how to route packets and what rules to apply.
Main features:
Firewall and gateway modes are enabled only if:
Each interface is identified with a color indicating its role within the system. See Network.
When a network packet passes through a firewall zone, the system evaluates a list of rules to decide whether traffic should be blocked or allowed. Policies are the default rules to be applied when the network traffic does not match any existing criteria.
The firewall implements two default policies editable from the page -> Configure:
Firewall policies allow inter-zone traffic accordingly to this schema:
GREEN -> BLUE -> ORANGE -> RED
Traffic is allowed from left to right, blocked from right to left.
You can create rules between zones to change default policies from Firewall rules page.
Note
Traffic from local network to the server on SSH port (default 22) and Server Manager port (default 980) is always permitted.
Rules apply to all traffic passing through the firewall. When a network packet moves from one zone to another, the system looks among configured rules. If the packet match a rule, the rule is applied.
Note
Rule’s order is very important. The system always applies the first rule that matches.
A rule consists of four main parts:
Available actions are:
Note
The firewall will not generate rules for blue and orange zones, if at least a red interface is configured.
As a general rule, you should use REJECT when you want to inform the source host that the port to which it is trying to access is closed. Usually the rules on the LAN side can use REJECT.
For connections from the Internet, it is recommended to use DROP, in order to minimize the information disclosure to any attackers.
When a rule matches the ongoing traffic, it’s possible to register the event on a log file by checking the option from the web interface.
Firewall log is saved in /var/log/firewall.log file.
Below there are some examples of rules.
Block all DNS traffic from the LAN to the Internet:
Allow guest’s network to access all the services listening on Server1:
The term WAN (Wide Area Network) refers to a public network outside the server, usually connected to the Internet. A provider is the company who actually manage the WAN link.
The system supports up to 15 WAN connections. If the server has two or more configured red cards, it is required to proceed with provider configuration from Multi WAN page.
Each provider represents a WAN connection and is associated with a network adapter. Each provider defines a weight: higher the weight, higher the priority of the network card associated with the provider.
The system can use WAN connections in two modes (button Configure on page ):
To determine the status of a provider, the system sends an ICMP packet (ping) at regular intervals. If the number of dropped packets exceeds a certain threshold, the provider is disabled.
The administrator can configure the sensitivity of the monitoring through the following parameters:
The Firewall rules page allows to route network packets to a given WAN provider, if some criteria are met. See Rules.
Given two configured providers:
If balanced mode is selected, the server will route a double number of connections on Provider1 over Provider2.
If active backup mode is selected, the server will route all connections on Provider1; only if Provider1 becomes unavailable the connections will be redirected to Provider2.
The firewall blocks requests from public networks to private ones. For example, if web server is running inside the LAN, only computers on the local network can access the service on the green zone. Any request made by a user outside the local network is blocked.
To allow any external user access to the web server you must create a port forward. A port forward is a rule that allows limited access to resources from outside of the LAN.
When you configure the server, you must choose the listening ports. The traffic from red interfaces will be redirected to selected ports. In the case of a web server, listening ports are usually port 80 (HTTP) and 443 (HTTPS).
When you create a port forward, you must specify at least the following parameters:
Given the following scenario:
If you want to make the web server available directly from public networks, you must create a rule like this:
All incoming traffic on firewall’s red interfaces on port 80, will be redirected to port 80 on Server1.
In case you want to make accessible from outside the SSH server on port 2222, you will have to create a port forward like this:
All incoming traffic on firewall’s red interfaces on port 2222, will be redirected to port 22 on Server1.
In case you want to make accessible from outside the server on the whole port range beetween 5000 and 6000, you will have to create a port forward like this:
All incoming traffic on firewall’s red interfaces on port range beetween 5000 and 6000 will be redirected to same ports on Server1.
You can restrict access to port forward only from some IP address or networks using the field Allow only from.
This configuration is useful when services should be available only from trusted IP or networks. Some possible values:
10.2.10.4: enable port forward for traffic coming from 10.2.10.4 IP10.2.10.4,10.2.10.5: enable port forward for traffic coming from 10.2.10.4 and 10.2.10.5 IPs10.2.10.0/24: enable port forward only for traffic coming from 10.2.10.0/24 network!10.2.10.4: enable port forward for all IPs except 10.2.10.4192.168.1.0/24!192.168.1.3,192.168.1.9: enable port forward for 192.168.1.0/24 network, except for hosts 192.168.1.3 and 192.168.1.9One-to-one NAT is a way to make systems behind a firewall and configured with private IP addresses appear to have public IP addresses.
If you have a bunch of public IP addresses and if you want to associate one of these to a specific network host, NAT 1:1 is the way.
In our network we have an host called example_host with IP 192.168.5.122. We have also associated a public IP address 89.95.145.226 as an alias of eth0 interface (RED).
We want to map our internal host (example_host - 192.168.5.122) with public IP 89.95.145.226.
In the NAT 1:1 panel, we choose for the IP 89.95.145.226 (read-only field) the specific host (example_host) from the combo-box. We have configured correctly the one-to-one NAT for our host.
Traffic shaping allows to apply priority rules on network traffic through the firewall. In this way it is possible to optimize the transmission, check the latency and tune the available bandwidth.
To enable traffic shaping it is necessary to know the amount of available bandwidth in both directions and fill in the fields indicating the speed of the Internet link. Be aware that in case of congestion by the provider there is nothing to do in order to improve performance.
Traffic shaping can be configured from the page -> Interface rules.
The system provides three levels of priority, high, medium and low: as default all traffic has medium priority. It is possible to assign high or low priority to certain services based on the port used (eg low traffic peer to peer).
The system works even without specifying services to high or low priority, because, by default, the interactive traffic is automatically run at high priority (which means, for example, it is not necessary to specify ports for VoIP traffic or SSH). Even the traffic type PING is guaranteed high priority.
Note
Be sure to specify an accurate estimate of the bandwidth on network interfaces.
Firewall objects are representations of network components and are useful to simplify the creation of rules.
There are 6 types of objects, 5 of them represent sources and destinations:
Host: representing local and remote computers. Example: web_server, pc_boss
Groups of hosts: representing homogeneous groups of computers. Hosts in a host group should always be reachable using the same interface. Example: servers, pc_segreteria
CIDR Networks: You can express a CIDR network in order to simplify firewall rules.
Example 1 : last 14 IP address of the network are assigned to servers (192.168.0.240/28).
Example 2 : you have multiple green interfaces but you want to create firewall rules only for one green (192.168.2.0/24).
Note
By default, all hosts belonging to a zone are not allowed to do any type of traffic. It’s necessary to create all the rules on the firewall in order to obtain the desired behavior.
The last type of object is used to specify the type of traffic:
When creating rules, you can use the records defined in DNS and DHCP and PXE server like host objects. In addition, each network interface with an associated role is automatically listed among the available zones.
When the system is acting as DHCP server, the firewall can use the list of DHCP reservations to strictly check all traffic generated from hosts inside local networks. When IP/MAC binding is enabled, the administrator will choose what policy will be applied to hosts without a DHCP reservation. The common use is to allow traffic only from known hosts and block all other traffic. In this case, hosts without a reservation will not be able to access the firewall nor the external network.
To enable traffic only from well-known hosts, follow these steps:
Note
Remember to create at least one DHCP reservation before enabling the IP/MAC binding mode, otherwise no hosts will be able to manage the server using the web interface or SSH.