Tip: You can configure a Smoothwall access rule that prevents access to the Smoothwall Filter and Firewall administration user interface for all IP addresses and interfaces. To regain access, see Regaining Access to the Administration UI After Creating an Access Rule to Block Traffic.
Prerequisite
Choose a section or add a new section: Adding sections.
Procedure
Note: Any address objects and object groups created here are also made available for use in future rules, or existing rule amendments.
- On the NETWORK menu, under the Firewall submenu, click Smoothwall access and either:
- Place your mouse cursor over the section that you want to add a rule for, click Add rule and either click Top of section or Bottom of section.
- Expand the section and place your mouse cursor over an existing rule within the section, click Add, and then either click Rule above or Rule Below.
- In the Add Smoothwall access rule dialog box, enter a meaningful Name for the rule.
- If logging is turned on for this rule, the name is included in log entries. From the Smoothwall Firewall log viewer, you can click the rule name to return to this page.
- Select or search for the Source IP addresses for this rule and either click Include » or Exclude » to exclude IP addresses from this rule.
- If you can't find the address object or object group, click Create to add them directly to this rule.
- If an object was mistakenly added, click the - icon to remove the object.
- To apply this rule to all IP addresses, use Inbound interfaces instead. Typically, you use this when including an IP address subnet, but have one or two addresses within that subnet where the rule doesn't apply. If no IP addresses are selected for this rule, Any is shown in the Smoothwall access rules table, meaning all IP addresses are processed.
- For the Inbound interfaces that network traffic arrives at, use this option instead of Source IP addresses to apply this rule to all traffic using these interfaces. If no interfaces are selected for this rule, Any is shown in the Smoothwall access rules table, meaning all interfaces are used for this rule.
- Add the Destination IP addresses that this rule forwards traffic to.
- To apply this rule to all IP addresses, use Outbound interfaces instead. Any address objects and object groups created here are also made available for use in future rules, or existing rule amendments. If no IP addresses are selected for this rule, Any is shown in the Smoothwall access rules table, meaning all IP addresses are processed.
- For the Services for this rule.
- Leave blank to include all services. If you're creating an Accept rule, this setting is mandatory; at least one service must be selected. For Drop or Reject rules, you can optionally leave this blank to cover all services listed. If no services are selected for this rule, Any is shown under Services in the Smoothwall access rules table, meaning all services received are processed. The IDex Cluster shares the information received from the IDex client and the IDex agent among all nodes in a Central Management cluster, so that web filtering requests can be load-balanced between them.
- Add the user Groups that network traffic originates from, select or search for the object and click Add ».
- Group members are identified by their IP address. A user doesn't need to be logged into be considered a member of a group; traffic from those IP addresses is assumed to be from those group members. You can create rules for traffic that ORIGINATES from groups. Select those Groups to match against. You can't create rules that allow traffic TO user groups. If no groups are selected for this rule, Any is shown under Groups in the Smoothwall access rules table.
- From the Action list, select if the network traffic is Accepted, silently Dropped or if it's Rejected and an ICMP destination-unreachable is sent back to the originator.
- To log matching network connections, select the Log option.
- Enter a descriptive Comment for this rule and click Save changes.
WARNING: Selecting the Log option can generate a large amount of log data. We recommend that you only select this for "Drop" and "Reject" Smoothwall Firewall rules.
Follow-up tasks
- Move the rule to the correct position in the list by clicking on the section or rule and drag it to the position that you want, and then click Save.
- To edit a rule, click the section arrow to expand the view and place your mouse cursor over the rule and click Edit. Make your amendments and then click Save changes.
- To delete a rule, place your cursor over the rule and click Delete.
WARNING: Deleting a rule that has a current established connection causes that connection to fail. We recommend that you delete rules when the Smoothwall Firewall is processing minimal traffic, such as overnight.