Ingate Firewall 4.2: User Manual
Prev		Next

Chapter 12. Rules and Relays

Table of Contents
Rules
Relays
DHCP Relay
Services
Protocols
Time classes

Under Rules and Relays, you configure which traffic is allowed from one network to another; for example, from an internal network to the Internet. You must use NAT and relays to transmit traffic to IP address series that can only be used locally.

Remember that the order of the firewall rules is important. The firewall always uses the first rule that applies to a certain type of traffic.

All traffic that does not fit into any of the rules is rejected or discarded. Specify whether such traffic should be rejected or discarded under IP Policy on the Basic Configuration page.

Before you set the Rules and Relays, you must enter configuration for Networks and Computers, and maybe also for Time classes and Services. Under Networks and Computers, specify the network interface where a computer or network can be accessed. This configuration provides the guidelines for the rules you set.

If NAT is not used, the rules for UDP traffic apply to one direction only. This means that you must set up a rule for each direction. In contrast to TCP traffic, UDP traffic requires no connections. All packets are sent as separate, small units. This makes this type of traffic harder to monitor.

Ingate Firewall has a number of relay types: FTP relay, TCP relay, TCP port forwarding, semi-transparent TCP port forwarding, UDP relay, UDP port forwarding, semi-transparent UDP port forwarding, DHCP relay, and address rewriting HTTP relay. See appendix A, IP Firewall in Ingate Firewall, for more information on how these relays work.

Rules

On the Rules page, you set all the rules for traffic between the different network interfaces. The rules are made by combining the information from other pages (see below). Make sure that you have done all the necessary configuration on the Networks and Computers, Time classes and Services pages before you set the rules. A rule regulates the traffic for a certain service from one network to another.

The order of the rules is important. The firewall uses the first rule that matches to decide how to handle received traffic.

If FTP or PPTP should be allowed through the firewall, special rules for this (using services with Dynamic FTP or PPTP management) should be placed before any other, more general rules, allowing TCP between the same networks.

Rule no.

This is a number that is used to identify each individual rule. Rules are sorted in numerical order. To move a rule to a certain row, enter the number on the row to which you want to move it. You need only renumber rules that you want to move; other rules are renumbered automatically. When you click on Save, the rules are re-sorted. The order of the rules is important. Rules are used in the order in which they are displayed in the table; rule number 1 is first.

Client

Under Client, you can select one of the defined Networks and Computers. The rule regulates the traffic from Client to Server. If you want to define a connection with a VPN peer, you must use a Client network with the interface '-'.

From IPsec peeer

By selecting an IPsec peer here, the rule is restricted to only matching encrypted packets from a computer using this peer. In addition to this, the packets must originate from an IP address in the range of the selected Client. If no IPsec peer is selected ('-'), this rule will match regardless of whether the packet arrives via an IPsec connection or not.

When an IPsec peer is selected, the Client network must use '-' as interface. This is defined on the Networks and Computers page.

Server

Under Server, you can select on of the defined Networks and Computers. This regulates which computer(s) receive traffic under this rule. If you want to define a connection with an IPsec peer, you must use a server network with the interface '-'.

To IPsec peer

If the Server should only be accessed via an IPsec connection, you enter the IPsec peer here. The Server must have an IP address within the range of the IPsec Tunnels of the selected IPsec peer. This is used when a client behind the firewall wants to access a network or a computer through an IPsec tunnel.

If the server receiving traffic is not behind an IPsec tunnel (from the firewall's point of view), you select '-' here.

Direction

The direction shows from what network interface, to what network interface this rule regulates traffic. One example can be Outside -> Inside. If a rule regulates traffic to or from a network defined on several interfaces or no interface, the text "Indeterminate interface" is shown.

Service

The network service which should be let through/blocked with this rule. You configure services on the Services page. Examples of services are WWW and telnet.

Action

Here, you determine the action that the firewall should take when a matching packet arrives. Allow lets all traffic of this type through the firewall. Reject blocks all traffic of this type and sends an error message back as response, an ICMP packet. Discard blocks all traffic of this type and sends no response.

Time class

For each rule you select a Time class, which regulate on what days and at what time of a day the rule will be active. Inactive rules are ignored when deciding what should be done with an arriving packet. You define the different time classes on the Time classes page.

Log class

Here, you set the Log class to be used for packets matching this rule. For traffic let through by a dynamic management rule (that is, a rule where the service has a Dynamic management firewall type), only the first packet and rejected/discarded packets in the connection is logged.

Log classes are defined on the Log Classes page under Logging. See also chapter 13, Logging.