This article applies to the Smoothwall Filter & Firewall On-Prem solution in either Hardware or VM form.
A Primer on Firewall Rules
The Smoothwall Firewall handles network traffic moving from internal networks to external, or across the internal interfaces of the Smoothwall. In deployments where a Smoothwall has more than one 'Basic' internal interface (including VLAN interfaces) or a combination of 'External' and 'Basic' interfaces, Firewall Rules can be used to control access between LAN segments or to external destinations.
NOTE: To permit external access to the local network (such as public access to an on-site web server) please see the Port Forwards menu at Network > Configuration > Port Forwards.
Address and Service Objects
Before setting up Firewall Rules it is worth noting two key components, Address Objects and Service Objects. These are named objects that contain IP addresses (single, subnet, or range) and port numbers (TCP/UDP or custom protocol) that can be used to construct Firewall Rules with easily recognisable components - in the case of Service Objects, they also serve to add in required services that are not pre-configured on the Smoothwall.
Configuring Address Objects
-
Log in to your Smoothwall Filter & Firewall Admin UI.
-
Navigate to Network > Settings > Address Object Manager.
-
In the top-right of the screen click 'Add new address object'.
-
Name the new object and in the provided field enter the IP address, IP subnet, or range of IP addresses for the object.
NOTE: If you have previously created a number of Address Objects you would like to group under an 'umbrella' object, select the objects from the pre-populated field that appears when clicking into 'Object Names' field, check the 'Save selected objects as group' option and give the new group a name.
-
Save the new object.
Configuring Service Objects
-
Log in to your Smoothwall Filter & Firewall Admin UI.
-
Navigate to Network > Settings > Service Object Manager.
-
In the top-right of the screen click 'Add new service object'.
-
Name the new object and from the provided fields select the service type (TCP, UDP, TCP/UDP or Custom IP Protocol Number) and nominate the service number.
NOTE: If you have previously created a number of Service Objects you would like to group under an 'umbrella' object, select the objects from the 'Selected Services' list (click into the entry field first), check the 'Save selected objects as group' option and give the new group a name.
-
Save the new object.
Understanding Rule Elements
Firewall Rules are made of a number of elements:
- Name: A name for the Firewall Rule.
- Source IPs: The IP address, subnet, IP range, or Address Object the Firewall is expecting communication from. A single Address Object can be made in the Firewall Rule Configuration dialogue for this element for convenience.
- Inbound Interfaces: The internal interfaces the communication from the Source IPs are expected on.
- Destination IPs: The IP address, subnet, or IP range the communication from the Source IPs is bound for. A single Address Object can be made in the Firewall Rule Configuration dialogue for this element for convenience.
- Outbound Interfaces: The External or Internal interfaces the communication from the Source IPs may leave by.
- Services: The TCP and/or UDP ports, or Service Objects, that are used in the communication from the Source IPs. A single Service Object can be made in the Firewall Rule Configuration dialogue for this element for convenience.
- Apps: Layer 7 filtering objects for popular applications (Licenced feature).
- Groups: Authentication user-groups to apply a Firewall Rule to a specific user group.
- Action:
- Accept: Allow communication.
- Drop: Drop the communication with no response to the Source IPs.
- Reject: Drop the communication and return notice to the Source IPs.
- Log: Log the communication and outcome.
- Enable: Notes if the Firewall Rules is in effect or turned off.
Creating the Firewall Rule
-
Log in to your Smoothwall Filter & Firewall Admin UI.
-
Navigate to Network > Firewall > Firewall Rules.
- Firewall rules are organised into sections, each headed by a dark-grey banner. Either create a new section with the 'Add section' tool in the top-right of the rule table or hover over an existing header and click 'Add rule' > 'Top of section'.
- The rule configuration utility will appear. Fill out the relevant details as per your requirements.
NOTE: Address and Service Objects can be created in this page also, however, bulk creation is best done in the dedicated UI locations. - If you wish to check the functionality of the rule, enable logging to the rule and save.
- You may click and drag the new rule up and down the table to fit into the firewall ruleset as you require.
Testing the Rule
- Navigate to Reports > Realtime > Firewall.
- From the left-most drop-box select 'Rule' and from the drop-box to the immediate right of that select the rule you created by its name.
- Click 'Apply' to add this filter.
- Any traffic traversing the Firewall that this rule permits will be noted on the log viewer in real-time.
The real-time firewall log can be used to troubleshoot all manner of traffic issues across the Firewall or between interfaces (zone bridging) with the use of the available filters. Enabling logging on the default 'Drop' rule at the very bottom of the Firewall will show any connection attempts across any interfaces on any service that is not permitted via a specific rule.
NOTE: Web traffic handled by the Guardian web-filter is not visible in the Firewall logs as that traffic is proxied directly out of the web-filters configured SNAT address.