Use Firewall rules to allow, drop or reject traffic coming from or going to specific sources. Customers commonly create Firewall rules to allow specific services or applications access to the Internet while rejecting all other outbound traffic. The catch-all default rule at the bottom of the table rejects any traffic not explicitly allowed by the rules above.
You can use Firewall rules to create Access Control Lists (ACLs) to route traffic between networks. For example, to isolate departmental networks while allowing access to a printer on one of the networks. You can allow traffic to flow from one network to another, or between the two.
Other similar features in the Smoothwall On-Premise Appliance Firewall:
- To permit external access to the local network (such as public access to an on-site web server), use Port forwards rules.
- To control access to services running on the Smoothwall Appliance, use Smoothwall access rules.
Add a Firewall rule
Tip
- Use sections to organise your rules.
- When building a rule, for Source IP addresses, Inbound Interfaces, Destination IP addresses, Outbound interfaces, Services and Groups:
- Use Search to narrow your list of items.
- Leave the fields blank to set the rule to apply to Any (all).
To add a Firewall rule:
- Go to Network > Firewall > Firewall rules.
- Add a new rule:
- Hover over a section, select Add rule and select either Top of section or Bottom of section.
- Hover over an existing rule, select Add and select Rule above or Rule below.
- Ensure the Enabled checkbox is selected.
- Enter a Name.
- Use Source IP addresses to manage traffic coming from specific IP addresses, subnets or IP ranges:
- Select the checkbox next to one or more Address objects. Use Include or Exclude to apply the rule to these IP addresses, or apply it to everything other than these IP addresses.
- Select the minus icon (-) next to an item to remove it from the list.
- Select Create to add a new Address object or Address object group.
- Use Inbound interfaces to manage traffic coming from specific interfaces. For example, your external interface for traffic coming from the Internet:
- Select the checkbox next to one or more interfaces, or select All internal interfaces or All external interfaces. Select Add.
- Select the minus icon (-) next to an item to remove it from the list.
- Use Destination IP addresses to manage traffic destined for specific IP addresses:
- Select the checkbox next to one or more Address objects. Use Include or Exclude to apply the rule to these IP addresses, or apply it to everything other than these IP addresses.
- Select the minus icon (-) next to an item to remove it from the list.
- Select Create to add a new Address object or Address object group.
- Use Outbound interfaces to manage traffic from the source IP addresses leaving the Smoothwall Appliance from specific interfaces:
- Select the checkbox next to one or more interfaces, or select All internal interfaces or All external interfaces. Select Add.
- Select the minus icon (-) next to an item to remove it from the list.
- Use Services to manage traffic on specific TCP and/or UDP ports:
- Select the checkbox next to one or more Service objects, then select Add.
- Select the minus icon (-) next to an item to remove it from the list.
- Select Create to add a new Service object or Service object group.
- Use Applications (Apps) to apply Deep Packet Inspection (DPI) filtering.
- Use Groups to target traffic coming from users in specific custom or built-in User Groups:
- Select the checkbox next to one or more User Groups (custom or built-in) from which the traffic comes, then select Add.
- Select the minus icon (-) next to a group to remove it from the list.
Important
Ensure group-specific rules apply by selecting these checkboxes on the Services > Authentication > Settings page:
- Users identified by BYOD are subject to firewall rules that make use of groups for RADIUS authentication.
- Apply Firewall Rules that use Groups to users identified by IDex for IDex authentication.
- Using the Action dropdown, select what to do with the traffic:
- Accept.
- Silently Drop the traffic with no response to the source.
- Reject the traffic and send back an ICMP destination-unreachable message to the source.
- To log traffic to your Firewall logs, select the Log checkbox.
Important
Generating these logs can impact the performance of your Smoothwall Appliance.
- (Optional) Enter a Comment.
- Select Save changes.
Edit a Firewall rule
Note
You only edit the Action dropdown and Log checkbox for the Default rule in the Catch-all section. You can’t change its position.
Smoothwall applies rules in order of priority, from top to bottom. To reorder rules:
- Drag a rule to a new position.
- Select Save.
To edit a rule:
- Hover over the rule.
- Select Edit.
- Change any fields as needed.
- Select Save changes.
Delete a Firewall rule
Important
- Deleting a section also deletes all rules within that section.
- You can’t delete the Default rule in the Catch-all section.
- Hover over the rule name.
- Select Delete.
- Select Delete again.