Ingate Firewall 4.2: User Manual
Prev	Chapter 12. Rules and Relays	Next

Services

A service is defined as an IP protocol and, where it is applicable, sender and receiver ports (TCP, UDP) or types (ICMP).

Usually, a service consists of port numbers for the client and server sides and a protocol. The WWW service may look like this:

A connection is made from a client to a server where a standard protocol is used. The client machine uses an available port whose number is over 1023. The standard port for the service is used on the server. See appendix G, Lists of reserved ports, ICMP types and codes, and Internet protocols, for more details about the reserved/standard ports for different services. The WWW service usually uses port 80 on the server.

A large number of protocols can be used on IP. Common protocols are TCP, UDP and ICMP. Most services use the connection-oriented protocol, TCP. See appendix H, Definitions of terms, for more details on the common protocols and appendix G, Lists of reserved ports, ICMP types and codes, and Internet protocols, for a list of existing protocols. In appendix C, Common services, you can find examples on how to configure the firewall for a lot of services.

UDP is usually used for mounting file systems over the network with NFS, name and IP address queries to a DNS server, or the SNMP network monitoring protocol.

ICMP is used to send error messages, for example, that the network or computer is not accessible, but is also used for other messages about the network. Remember that ICMP does not connect; it simply sends a short message in one direction. This is why you must turn on ICMP for the direction - from the inside out or from the outside in - in which you want to send ICMP messages.

When a connection is active, the server sends replies to the client. For this to work correctly, the firewall creates a shadow rule applying to the reply traffic. The shadow rule, which only allows reply traffic, could be a fixed rule always existing and allowing reply traffic from all server ports to all client ports of all client computers, or it could be a dynamic rule, which is created when a connection is established and disappear at disconnection, and which is constrained to the server and client ports used by the established connection.

Select Packet filter for fixed shadow rules and Dynamic session management for dynamic shadow rules. A special rule, called Dynamic FTP management, exists for handling FTP traffic. This rule will create dynamic shadow rules when an FTP connection is established. It will also automatically create shadow rules for the data traffic, monitoring the traffic and deciding whether to make a shadow rule for active or passive FTP. When using Dynamic FTP management, no rule for the FTP data traffic is needed.

When NAT is used, all shadow rules are dynamic.

Services Configuration

Here, the services used on the Rules page are defined. The same services can also be used for QoS, if the firewall has that extension module. Most common services are predefined.

Name

Enter a name for the service. You can use this name when you change the rule configuration. The rows are sorted in alphabetical order, except that all upper case letters are sorted before lower case letters (B is sorted before a).

Subgroup

You can create a group of services, consisting of several services. This can be useful when you want groups of services to be treated the same by the firewall. You name the group under Name, and then use already defined services, or define new ones. If you want to use a defined service, select its name under Subgroup. The other fields in that row should be left empty.

When defining new services in a group, do exactly as when defining a single service (see the "all" service in the image).

Protocol

Protocol is the protocol that is used by the defined service. Protocols are defined on the Protocols page. See the section Internet protocols and their numbers in appendix G, Lists of reserved ports, ICMP types and codes, and Internet protocols, for more information on protocols.

When defining services based on TCP or UDP, the fields Client ports and Server ports should be filled in. When defining services based on ICMP the field ICMP type should be filled in. When defining services based on other protocols these fields should be left empty.

See appendix C, Common services, for more information on services and protocols.

Firewall type

Select Packet filter to get a fixed shadow rule and Dynamic session management to get a dynamic shadow rule. When NAT is used, all shadow rules are dynamic and this column will be ignored.

Some services require a special set of rules, which is handled by special firewall types. Dynamic FTP management creates dynamic FTP shadow rules for both control and data. Dynamic PPTP management creates shadow rules for the PPTP negotiation and the encrypted PPTP traffic, which uses the GRE protocol.

Client ports

Client ports are the ports that are used by the client computer. You can enter any number of ports or ranges of ports, or a combination of ports and port ranges. Separate the ports and ranges with commas. The value for a port must be a number between 0 and 65535 (inclusive). A range may lie somewhere between 0 and 65535, written as number-number. For client computers, the range is often 1024-65535. Client ports are used by TCP and UDP based services.

Server ports

Server ports are the ports to which the client computer can connect on the server computer. You can enter any number of ports or ranges of ports, or a combination of ports and port ranges. Separate the ports and ranges with commas. The value for a port must be a number between 0 and 65535 (inclusive). A range may lie somewhere between 0 and 65535, written as number-number. Server ports are used by TCP and UDP based services.

Services

Services Configuration

Name

Subgroup

Protocol

Firewall type

Client ports

Server ports

ICMP type

Delete row

Add new rows

Save

Undo

Prev	Home	Next
DHCP Relay	Up	Protocols