6.5.4. Procedure – Creating firewall rules

Purpose: 

Firewall rules allow a specific type of traffic to pass the firewall. To create a new firewall rule, complete the following steps.

Steps: 

1. Login to ZMS and select <Host> > Zorp > Firewall Rules > New. A new window opens.

   

   Figure 6.44. Creating firewall rules

2. Select the Conditions tab.

   

   Figure 6.45. Setting connection parameters

3. Select the Transport protocol used in the connection. This is the protocol used in the transport layer (Layer 4) of the OSI model. The following protocols are supported: TCP, UDP, ICMP, IGMP, DCCP, GRE, ESP, AH, SCTP, and UDP-Lite.

   • To permit both TCP and UDP traffic, select TCP or UDP.

   • To permit any Layer 4 protocol, select Any.

   • For ICMP traffic, you can specify the permitted type and subtype (code) as well.

4. Select the sources.

   Zorp can limit the traffic that can pass the firewall only to traffic that comes from selected source networks. To permit traffic only from specific networks, select Sources > Add > <Type-of-network>. You can select zones, IPv4 or IPv6 subnets, interfaces, interface groups, and ports. Use always the most specific source suitable for your rule.

   Note
   To specify multiple ports, separate the ports with a comma, for example: 80,443 To specify a port range, use a colon, for example: 2000:2100 To specify multiple port ranges, separate the port ranges with commas, for example: 2000:2100,2200:2400.

5. Select the destinations.

   Zorp can limit the traffic that can pass the firewall only to traffic that is targeting selected destination addresses. To permit traffic only to specific networks, select Destinations > Add > <Type-of-network>. You can select zones, IPv4 or IPv6 subnets, interfaces, interface groups, and ports. Use always the most specific destination suitable for your rule.

   Note
   For rules that start nontransparent services, set the destination address and the port to an address of the firewall host.

   Note
   To specify multiple ports, separate the ports with a comma, for example: 80,443 To specify a port range, use a colon, for example: 2000:2100 To specify multiple port ranges, separate the port ranges with commas, for example: 2000:2100,2200:2400.

   Note
   From Zorp version 3 F5 on, it is not mandatory to set the sources and destinations. Sources and destinations act as a filter, they limit access to the clients or servers of the sources and destinations. A firewall rule without sources and destinations acts as a rule that simply forwards traffic between any client and destination.

6. Select the service to use.

   Select Service > Service and select the service to start for connections matching the rule. The service determines the type of traffic that will be permitted by this rule (for example, HTTP, FTP, and so on) and also the level, the traffic will be inspected on (application or packet filter level).

   

   Figure 6.46. Selecting the service

   Note
   Proxy services can be used only if the Condition > Transport protocol option is set to TCP, UDP, or TCP or UDP.

   Warning
   The settings and parameters of the service shown on the Service tab of the rule are for reference only. Do not modify them, because it might interfere with other rules using the same service. To modify the parameters of a service, or to create a new service, use the Services tab of the Zorp ZMC component.

7. Select the instance the service should run in.

8. Optional Step: By default, new rules become active when the configuration is applied. To create a rule without activating it, deselect the Active option of the rule.

9. Optional Step: To limit the number of connections that can be started by the rule, configure rate limits for the connections. For details, see Procedure 6.5.7, Connection rate limiting.

10. Click OK, then commit your changes.

    Expected result: 

    A new firewall rule is created and added to the list of firewall rules. If the rule is active, the traffic specified in the rule can pass the firewall.