Firewall Management

Management of the firewall policies in the appliance is divided into two main areas, rules (or policies) that are “active” now and rules (or policies) that will survive a reboot (also called persistent rules)

┌────────────────────────────────────────────────────────────────────────────┐
│           Firewall Management on node1 (Version 2.0.X build XXXX)          │
└────────────────────────────────────────────────────────────────────────────┘

┌─┬──────────────────────────────────────────────────────────────────────────┐
│1│Manage active firewall rules                                              │
│2│Add persistent firewall rules                                             │
│3│Remove persistent firewall rules                                          │
└─┴──────────────────────────────────────────────────────────────────────────┘
  1. Manage active firewall rules

  2. Add persistent firewall rules

  3. Remove persistent firewall rules


Manage active firewall rules

Use these submenus to manipulate the active firewall policy, e.g rules in effect now.

┌────────────────────────────────────────────────────────────────────────────┐
│              Active Rules on node1 (Version 2.0.X build XXXX)              │
└────────────────────────────────────────────────────────────────────────────┘

┌─┬──────────────────────────────────────────────────────────────────────────┐
│1│List all active firewall rules                                            │
│2│Remove an active firewall rule                                            │
└─┴──────────────────────────────────────────────────────────────────────────┘

Move the cursor or enter a it's corresponding number (Q to Quit)

Main> System Settings> Network> Firewall> Active>

List all active firewall rules

This will list all currently active firewall rules.

Firewall settings

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 443/tcp                    ALLOW IN    10.0.0.0/8
[ 2] 80/tcp                     ALLOW IN    10.0.0.0/8


Press any key to continue

Remove an active firewall rule

This option makes it possible to remove selected, active firewall rules.

Firewall settings

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 443/tcp                    ALLOW IN    10.0.0.0/8
[ 2] 22/tcp                     ALLOW IN    10.0.0.0/8

Remove what line number? (Q to Quit) <1>:
Are your sure? (<Y>/n):
Deleting:
 allow from 10.0.0.0/8 to any port 443 proto tcp
Proceed with operation (y|n)? y
Rule deleted

Press any key to continue

Add persistent firewall rules

Use these submenus to add firewall policies that will be persistent (e.g. survive a reboot of the appliance)

┌────────────────────────────────────────────────────────────────────────────┐
│              Persistent Rules on node1 (Version 2.0.X build XXXX)          │
└────────────────────────────────────────────────────────────────────────────┘

┌─┬──────────────────────────────────────────────────────────────────────────┐
│1│Add Web firewall rules                                                    │
│2│Add SSH firewall rules                                                    │
│3│Add SNMP firewall rules                                                   │
│4│Add RADIUS firewall rules *)                                              │
│5│Add RADIUS HA firewall rules *)                                           │
└─┴──────────────────────────────────────────────────────────────────────────┘

Move the cursor or enter a it's corresponding number (Q to Quit)

Main> System Settings> Network> Firewall> Add>

*) RADIUS is only visible if the RADIUS module is installed

Add Web firewall rules

Input of new networks or IP addresses is somewhat modeled after how BSD handles multiple input, e.g. use a single dot (“.”) alone on a line to mark end of input.

Web access (port 80/TCP, 443/TCP) is currently permitted from

192.168.0.0/16

Allow WEB access to the StoredSafe appliance from up to 10 networks.
(Use IPv4 or IPv6 with CIDR notation, 192.168.0.0/24 or 2001:db8:cafe::/48)

Press return to keep the suggested <DEFAULT> values. To end input at any time,
simply enter a single dot (.) and press return.

Network #0 (. to end input, Q to Quit) <192.168.0.0/16>: 10.0.0.0/8
Network #1 (. to end input, Q to Quit) <.>:

By default, the appliance redirects unencrypted requests on port 80
to port 443, however it is possible to turn off this redirection.

Allow access on port 80 (HTTP)? (y/<N>): y
Save the new configuration? (<Y>/n): y
Activate the new configuration? (<Y>/n): y

Rule added

Old rules will not be removed until next reboot of the appliance,
unless they are manually removed thru "Remove active firewall rules"

Press any key to continue

Add SSH firewall rules

Input of new networks or IP addresses is somewhat modeled after how BSD handles multiple input, e.g. use a single dot (“.”) alone on a line to mark end of input.

No rules exists. SSH access is denied.

Allow SSH access (port 22/TCP) from up to 10 networks.
(Use IPv4 or IPv6 with CIDR notation, 192.168.0.0/24 or 2001:db8:cafe::/48)

Network #0 (. to end input, Q to Quit) <none>: 2001:db8:cafe::/48
Network #1 (. to end input, Q to Quit) <none>: 192.168.0.0/24
Network #2 (. to end input, Q to Quit) <none>: 151.217.22.34
Network #3 (. to end input, Q to Quit) <none>: .

Save the new configuration? (<Y>/n):
Activate the new configuration? (<Y>/n):

Rule added (v6)
Rule added

Old rules will not be removed until next reboot of the appliance,
unless they are manually removed thru "Remove active firewall rules"

Press any key to continue

Add SNMP firewall rules

Input of new networks or IP addresses is somewhat modeled after how BSD handles multiple input, e.g. use a single dot (“.”) alone on a line to mark end of input.

No rules exists. SNMP access is denied.

Allow SNMP access (port 161/UDP) from up to 5 networks.
(Use IPv4 or IPv6 with CIDR notation, 192.168.0.0/24 or 2001:db8:cafe::/48)

Network #0 (. to end input, Q to Quit) <none>: 192.168.0.0/24
Network #1 (. to end input, Q to Quit) <none>: 2001:db8:cafe::/48
Network #2 (. to end input, Q to Quit) <none>: .

Save the new configuration? (<Y>/n):
Activate the new configuration? (<Y>/n):

Rule added
Rule added (v6)

Old rules will not be removed until next reboot of the appliance,
unless they are manually removed thru "Remove active firewall rules"

Press any key to continue

Add RADIUS firewall rules

Input of new networks or IP addresses is somewhat modeled after how BSD handles multiple input, e.g. use a single dot (“.”) alone on a line to mark end of input.

No rules exists. RADIUS access is denied.

Allow RADIUS access (port 1812/UDP) from up to 10 networks.
(Use IPv4 or IPv6 with CIDR notation, 192.168.0.0/24 or 2001:db8:cafe::/48)

Press return to keep the suggested <DEFAULT> values. To end input at any time,
simply enter a single dot (.) and press return.

Network #0 (. to end input, Q to Quit) <none>: 192.168.0.0/24
Network #1 (. to end input, Q to Quit) <.>:

Save the new configuration? (<Y>/n): y
Activate the new configuration? (<Y>/n): y

Rule added

Old rules will not be removed until next reboot of the appliance,
unless they are manually removed thru "Remove active firewall rules"

Press any key to continue

Add RADIUS HA firewall rules

Input of new networks or IP addresses is somewhat modeled after how BSD handles multiple input, e.g. use a single dot (“.”) alone on a line to mark end of input.

No rules exists. RADIUS HA access is denied.

Allow RADIUS HA sync to mysql (port 3306/TCP) from HA pair
(Use IPv4 or IPv6 with CIDR notation, 192.168.1.1/32 or 2001:db8:cafe::1/128)

Press return to keep the suggested <DEFAULT> values. To end input at any time,
simply enter a single dot (.) and press return.

Host/Network #0 (. to end input, Q to Quit) <none>: 192.168.1.1/32
Host/Network #1 (. to end input, Q to Quit) <.>: 2001:db8:cafe::1/128
Host/Network #2 (. to end input, Q to Quit) <.>:

Save the new configuration? (<Y>/n):
Activate the new configuration? (<Y>/n):

Rule added
Rule added (v6)

Old rules will not be removed until next reboot of the appliance,
unless they are manually removed thru "Remove active firewall rules"

Press any key to continue

Remove persistent firewall rules

Use these submenus to permanently remove persistent firewall policies.

┌────────────────────────────────────────────────────────────────────────────┐
│              Persistent Rules on node1 (Version 2.0.X build XXXX)          │
└────────────────────────────────────────────────────────────────────────────┘

┌─┬──────────────────────────────────────────────────────────────────────────┐
│1│Remove all Web firewall rules                                             │
│2│Remove all SSH firewall rules                                             │
│3│Remove all SNMP firewall rules                                            │
│4│Remove all RADIUS firewall rules *)                                       │
│5│Remove all RADIUS HA firewall rules *)                                    │
└─┴──────────────────────────────────────────────────────────────────────────┘

Move the cursor or enter a it's corresponding number (Q to Quit)

Main> System Settings> Network> Firewall> Remove>

*) RADIUS is only visible if the RADIUS module is installed

Remove all Web firewall rules

Web access (port 80/TCP, 443/TCP) is currently permitted from

192.168.0.0/16

Remove all Web firewall rules? (<Y>/n): y

Old rules will not be removed until next reboot of the appliance,
unless they are manually removed thru "Remove active firewall rules"

Press any key to continue

Remove all SSH firewall rules

SSH access (port 22/TCP) is currently permitted from

192.168.0.0/16

Remove all SSH firewall rules? (<Y>/n): y

Old rules will not be removed until next reboot of the appliance,
unless they are manually removed thru "Remove active firewall rules"

Press any key to continue

Remove all SNMP firewall rules

SNMP access (port 161/UDP) is currently permitted from

192.168.0.0/16

Remove all SNMP firewall rules? (<Y>/n): y

Old rules will not be removed until next reboot of the appliance,
unless they are manually removed thru "Remove active firewall rules"

Press any key to continue

Remove all RADIUS firewall rules

RADIUS access (port 1812/UDP) is currently permitted from

192.168.0.0/16

Remove all RADIUS firewall rules? (<Y>/n): y

Old rules will not be removed until next reboot of the appliance,
unless they are manually removed thru "Remove active firewall rules"

Press any key to continue

Remove all RADIUS HA firewall rules

RADIUS HA access (port 3306/TCP) is currently permitted from

192.168.0.0/16

Remove all RADIUS HA firewall rules? (<Y>/n): y

Old rules will not be removed until next reboot of the appliance,
unless they are manually removed thru "Remove active firewall rules"

Press any key to continue