Firewall Management ~~~~~~~~~~~~~~~~~~~ Management of the firewall policies in the appliance is divided into two main areas, rules (or policies) that are "active" now and rules (or policies) that will survive a reboot (also called persistent rules) :: ┌────────────────────────────────────────────────────────────────────────────┐ │ Firewall Management on node1 (Version 2.0.X build XXXX) │ └────────────────────────────────────────────────────────────────────────────┘ ┌─┬──────────────────────────────────────────────────────────────────────────┐ │1│Manage active firewall rules │ │2│Add persistent firewall rules │ │3│Remove persistent firewall rules │ └─┴──────────────────────────────────────────────────────────────────────────┘ #. :ref:`Manage active firewall rules` #. :ref:`Add persistent firewall rules` #. :ref:`Remove persistent firewall rules` ------------ .. _manage_active_firewall_rules: Manage active firewall rules ############################ Use these submenus to manipulate the active firewall policy, e.g rules in effect now. :: ┌────────────────────────────────────────────────────────────────────────────┐ │ Active Rules on node1 (Version 2.0.X build XXXX) │ └────────────────────────────────────────────────────────────────────────────┘ ┌─┬──────────────────────────────────────────────────────────────────────────┐ │1│List all active firewall rules │ │2│Remove an active firewall rule │ └─┴──────────────────────────────────────────────────────────────────────────┘ Move the cursor or enter a it's corresponding number (Q to Quit) Main> System Settings> Network> Firewall> Active> List all active firewall rules ------------------------------ This will list all currently active firewall rules. :: Firewall settings Status: active To Action From -- ------ ---- [ 1] 443/tcp ALLOW IN 10.0.0.0/8 [ 2] 80/tcp ALLOW IN 10.0.0.0/8 Press any key to continue Remove an active firewall rule ------------------------------ This option makes it possible to remove selected, active firewall rules. :: Firewall settings Status: active To Action From -- ------ ---- [ 1] 443/tcp ALLOW IN 10.0.0.0/8 [ 2] 22/tcp ALLOW IN 10.0.0.0/8 Remove what line number? (Q to Quit) <1>: Are your sure? (/n): Deleting: allow from 10.0.0.0/8 to any port 443 proto tcp Proceed with operation (y|n)? y Rule deleted Press any key to continue ------------ .. _add_persistent_firewall_rules: Add persistent firewall rules ############################# Use these submenus to add firewall policies that will be persistent (e.g. survive a reboot of the appliance) :: ┌────────────────────────────────────────────────────────────────────────────┐ │ Persistent Rules on node1 (Version 2.0.X build XXXX) │ └────────────────────────────────────────────────────────────────────────────┘ ┌─┬──────────────────────────────────────────────────────────────────────────┐ │1│Add Web firewall rules │ │2│Add SSH firewall rules │ │3│Add SNMP firewall rules │ │4│Add RADIUS firewall rules *) │ │5│Add RADIUS HA firewall rules *) │ └─┴──────────────────────────────────────────────────────────────────────────┘ Move the cursor or enter a it's corresponding number (Q to Quit) Main> System Settings> Network> Firewall> Add> \*) RADIUS is only visible if the RADIUS module is installed Add Web firewall rules ---------------------- Input of new networks or IP addresses is somewhat modeled after how BSD handles multiple input, e.g. use a single dot (".") alone on a line to mark end of input. :: Web access (port 80/TCP, 443/TCP) is currently permitted from 192.168.0.0/16 Allow WEB access to the StoredSafe appliance from up to 10 networks. (Use IPv4 or IPv6 with CIDR notation, 192.168.0.0/24 or 2001:db8:cafe::/48) Press return to keep the suggested values. To end input at any time, simply enter a single dot (.) and press return. Network #0 (. to end input, Q to Quit) <192.168.0.0/16>: 10.0.0.0/8 Network #1 (. to end input, Q to Quit) <.>: By default, the appliance redirects unencrypted requests on port 80 to port 443, however it is possible to turn off this redirection. Allow access on port 80 (HTTP)? (y/): y Save the new configuration? (/n): y Activate the new configuration? (/n): y Rule added Old rules will not be removed until next reboot of the appliance, unless they are manually removed thru "Remove active firewall rules" Press any key to continue Add SSH firewall rules ---------------------- Input of new networks or IP addresses is somewhat modeled after how BSD handles multiple input, e.g. use a single dot (".") alone on a line to mark end of input. :: No rules exists. SSH access is denied. Allow SSH access (port 22/TCP) from up to 10 networks. (Use IPv4 or IPv6 with CIDR notation, 192.168.0.0/24 or 2001:db8:cafe::/48) Network #0 (. to end input, Q to Quit) : 2001:db8:cafe::/48 Network #1 (. to end input, Q to Quit) : 192.168.0.0/24 Network #2 (. to end input, Q to Quit) : 151.217.22.34 Network #3 (. to end input, Q to Quit) : . Save the new configuration? (/n): Activate the new configuration? (/n): Rule added (v6) Rule added Old rules will not be removed until next reboot of the appliance, unless they are manually removed thru "Remove active firewall rules" Press any key to continue Add SNMP firewall rules ----------------------- Input of new networks or IP addresses is somewhat modeled after how BSD handles multiple input, e.g. use a single dot (".") alone on a line to mark end of input. :: No rules exists. SNMP access is denied. Allow SNMP access (port 161/UDP) from up to 5 networks. (Use IPv4 or IPv6 with CIDR notation, 192.168.0.0/24 or 2001:db8:cafe::/48) Network #0 (. to end input, Q to Quit) : 192.168.0.0/24 Network #1 (. to end input, Q to Quit) : 2001:db8:cafe::/48 Network #2 (. to end input, Q to Quit) : . Save the new configuration? (/n): Activate the new configuration? (/n): Rule added Rule added (v6) Old rules will not be removed until next reboot of the appliance, unless they are manually removed thru "Remove active firewall rules" Press any key to continue Add RADIUS firewall rules ------------------------- Input of new networks or IP addresses is somewhat modeled after how BSD handles multiple input, e.g. use a single dot (".") alone on a line to mark end of input. :: No rules exists. RADIUS access is denied. Allow RADIUS access (port 1812/UDP) from up to 10 networks. (Use IPv4 or IPv6 with CIDR notation, 192.168.0.0/24 or 2001:db8:cafe::/48) Press return to keep the suggested values. To end input at any time, simply enter a single dot (.) and press return. Network #0 (. to end input, Q to Quit) : 192.168.0.0/24 Network #1 (. to end input, Q to Quit) <.>: Save the new configuration? (/n): y Activate the new configuration? (/n): y Rule added Old rules will not be removed until next reboot of the appliance, unless they are manually removed thru "Remove active firewall rules" Press any key to continue Add RADIUS HA firewall rules ---------------------------- Input of new networks or IP addresses is somewhat modeled after how BSD handles multiple input, e.g. use a single dot (".") alone on a line to mark end of input. :: No rules exists. RADIUS HA access is denied. Allow RADIUS HA sync to mysql (port 3306/TCP) from HA pair (Use IPv4 or IPv6 with CIDR notation, 192.168.1.1/32 or 2001:db8:cafe::1/128) Press return to keep the suggested values. To end input at any time, simply enter a single dot (.) and press return. Host/Network #0 (. to end input, Q to Quit) : 192.168.1.1/32 Host/Network #1 (. to end input, Q to Quit) <.>: 2001:db8:cafe::1/128 Host/Network #2 (. to end input, Q to Quit) <.>: Save the new configuration? (/n): Activate the new configuration? (/n): Rule added Rule added (v6) Old rules will not be removed until next reboot of the appliance, unless they are manually removed thru "Remove active firewall rules" Press any key to continue ------------ .. _remove_persistent_firewall_rules: Remove persistent firewall rules ################################ Use these submenus to permanently remove persistent firewall policies. :: ┌────────────────────────────────────────────────────────────────────────────┐ │ Persistent Rules on node1 (Version 2.0.X build XXXX) │ └────────────────────────────────────────────────────────────────────────────┘ ┌─┬──────────────────────────────────────────────────────────────────────────┐ │1│Remove all Web firewall rules │ │2│Remove all SSH firewall rules │ │3│Remove all SNMP firewall rules │ │4│Remove all RADIUS firewall rules *) │ │5│Remove all RADIUS HA firewall rules *) │ └─┴──────────────────────────────────────────────────────────────────────────┘ Move the cursor or enter a it's corresponding number (Q to Quit) Main> System Settings> Network> Firewall> Remove> \*) RADIUS is only visible if the RADIUS module is installed Remove all Web firewall rules ----------------------------- :: Web access (port 80/TCP, 443/TCP) is currently permitted from 192.168.0.0/16 Remove all Web firewall rules? (/n): y Old rules will not be removed until next reboot of the appliance, unless they are manually removed thru "Remove active firewall rules" Press any key to continue Remove all SSH firewall rules ----------------------------- :: SSH access (port 22/TCP) is currently permitted from 192.168.0.0/16 Remove all SSH firewall rules? (/n): y Old rules will not be removed until next reboot of the appliance, unless they are manually removed thru "Remove active firewall rules" Press any key to continue Remove all SNMP firewall rules ------------------------------ :: SNMP access (port 161/UDP) is currently permitted from 192.168.0.0/16 Remove all SNMP firewall rules? (/n): y Old rules will not be removed until next reboot of the appliance, unless they are manually removed thru "Remove active firewall rules" Press any key to continue Remove all RADIUS firewall rules -------------------------------- :: RADIUS access (port 1812/UDP) is currently permitted from 192.168.0.0/16 Remove all RADIUS firewall rules? (/n): y Old rules will not be removed until next reboot of the appliance, unless they are manually removed thru "Remove active firewall rules" Press any key to continue Remove all RADIUS HA firewall rules ----------------------------------- :: RADIUS HA access (port 3306/TCP) is currently permitted from 192.168.0.0/16 Remove all RADIUS HA firewall rules? (/n): y Old rules will not be removed until next reboot of the appliance, unless they are manually removed thru "Remove active firewall rules" Press any key to continue