Add, edit or delete Smoothwall access rules

Smoothwall access rules control internal and external traffic for many services running on the Smoothwall Appliance when it's acting as a Firewall. They differ from Firewall rules, which handle traffic passing through the Smoothwall Appliance.

Best practice to follow

Although you can set rules to apply to Any (all) by leaving the Source IP addresses, Inbound Interfaces, Destination IP addresses, Services, or Groups fields blank, this makes your Smoothwall Appliance less secure. Only allow access for all when necessary; otherwise, ensure you select specific items for these fields.

To reduce the risk of network security breaches, you must accept traffic only for the Smoothwall services you use and limit access to only the Source IPs that need it.

Don’t remove rules that allow or create rules that block Web-based admin services, or you will lose access to the Smoothwall Appliance Admin UI. If you have, you must add a Smoothwall access rule using the command line terminal.

Add a rule

1. Go to Network > Firewall > Smoothwall access.
2. Add a new rule:
   • Hover over a section, select Add rule and select either Top of section or Bottom of section.
   • Hover over an existing rule, select Add and select Rule above or Rule below.
3. Ensure the Enabled checkbox is selected.
4. Enter a Name.
5. For Source IP addresses: 
   • Select the checkbox next to one or more Address objects. Use the Include or Exclude buttons to select whether the rule applies to these IP addresses or applies to everything other than these IP addresses.
   • Select the minus icon (-) next to an item to remove it from the list.
   • Select Create to add a new Address object or Address object group.
6. Use Inbound interfaces to apply this rule to all traffic coming from specific interfaces:
   • Select the checkbox next to one or more interfaces, or select All internal interfaces or All external interfaces. Select Add.
   • Select the minus icon (-) next to an item to remove it from the list.
7. Use Destination IP addresses to forward traffic to a specific interface:
   • Select the checkbox next to one or more interfaces, then select Add.
   • Select the minus icon (-) next to an item to remove it from the list.
8. For Services:

     Note

   If you set the Action to Accept, you must select at least one Service.

   • Select the checkbox next to one or more services, then select Add.
   • Select the minus icon (-) next to an item to remove it from the list.
     

     Service	Description	Support
     All ICMP types	Allows your Internet Control Message Protocol (ICMP) system to send error messages and ping requests.   Important You must go to Network Settings Advanced and ensure the ICMP checkboxes are selected.
     Cloud Filter Bypass (6150)	Prevents double filtering from both Cloud and On-Premise Appliance.
     DNS proxy (53)	Manage traffic when your Smoothwall Appliance is your DNS server. It is also used in one of the options to block ECH.
     FTP proxy (2121)	Allows File Transfer Protocol (FTP) proxy traffic.	Deprecated in Maiden.
     FTP proxy alternative (21)	An alternative service to use with the FTP proxy.	Deprecated in Maiden.
     Heartbeat admin on HTTPS (440)	Monitors the Main Smoothwall Appliance when you set up and connect a Failover Smoothwall Appliance or VM.
     IDex cluster (2948, 2949, 26257) in Maiden IDex cluster (2948) in Leeds	Allows IDex authentication.
     Kerberos Login (814)	Allows authentication with Kerberos Authentication Scripts.
     Other web access on HTTP (80)	Gives web traffic on port 80 access to the Smoothwall Filter and Firewall.
     Other web access on HTTPS (442)	Allows users to access the User Portal or SSL Login page.
     RADIUS accounting (1813)	Allows BYO devices to use RADIUS Accounting.
     RADIUS authentication (1812)	Allows BYO devices to use RADIUS Authentication.
     SIP (5060)	Allows Session Initiation Protocol (SIP) traffic for VoIP networks.	Deprecated in Maiden.
     SMTP (25)	Allows network traffic to the email relay.	Deprecated in Maiden.
     SNMP (161, 199)	Allows your Simple Network Management Protocol (SNMP) service to monitor your network.
     SSH-based admin (222)	Allows access to the Smoothwall Appliance via SSH.
     Web-based admin on HTTP (81)	Allows users to sign in to the Smoothwall Appliance Admin UI over HTTP.
     Web-based admin on HTTPS (441)	Allows users to sign in to the Smoothwall Appliance Admin UI over HTTPS.

9. For Groups:
   • Select the checkbox next to one or more User Groups (custom or built-in) from which the traffic comes, then select Add.
   • Select the minus icon (-) next to a group to remove it from the list.

     Important

   To ensure group-specific rules are not ignored, go to Services Authentication Settings and select these checkboxes:

   • Users identified by BYOD are subject to firewall rules that make use of groups for RADIUS authentication.
   • Apply Firewall Rules that use Groups to users identified by IDex for IDex authentication.
10. Using the Action dropdown, select what to do with the traffic:
    • Accept.
    • Silently Drop.
    • Reject and send back an ICMP destination-unreachable message to the originator.
11. (Optional) To log traffic to your Firewall logs, select the Log checkbox.

      Important

    Generating these logs can impact the performance of your Smoothwall Appliance.

12. (Optional) Enter a Comment.
13. Select Save changes.

Edit a rule

Smoothwall applies rules in order of priority, from top to bottom. To reorder rules:

1. Select and drag a rule to a new position.
2. Select Save.

To edit a rule:

1. Hover over the rule.
2. Select Edit.
3. Update the fields as needed.
4. Select Save changes.

Delete a rule

1. Hover over the rule name.
2. Select Delete.
3. Select Delete again.