The Firewall is used to configure the firewall installed on your system. A firewall is a gateway that limits access between networks in accordance with a local security policy, in order to protect the system from outside attacks. This local security policy is set up here.
The Start-Up section defines how your firewall will start. You can either have the firewall start automatically when booting (recommended), or you can set the firewall to start manually. You set this by clicking on the appropriate radio button for these two options.
This section also shows the current status, whether or not the firewall is running. Here, you can start the firewall, stop the firewall, or save your settings and restart the firewall. When you have changed your local security policy, its recommended that you save your settings and restart the firewall.
Interfaces shows you the network devices you have attached to your computer. Each device that can be used for an internet connection, whether it is an ethernet card or wifi adapter, will be displayed here. Also, a custom string will be displayed. Here you can assign your devices to appropriate zones, each zone representing a different security policy. To change the zone, highlight a device and click on Change. You can also place additional interface settings for each zone by clicking on Custom.
Allowed Services is where you can add specific servers to an allowed services list, creating a pass-through for that service, which operates on a specific port. This way, other computers can access these services. For example, you may wish your computer to act as the DHCP Server, and assign other client PC's IP addresses. Unless this service is added to your Allowed Services list, the client computers will be unable to connect to the DHCP Server, and will not be assigned an IP address. The services you add should be appropriate for your usage. Do not add services you are not currently using, as this creates a security hole, negating the purpose of the firewall.
The allowed services are as follows:
- DHCP Client
- DHCP Server
- DNS Server
- HTTP Server
- HTTPS Server
- IMAP Server
- IMAPS Server
- IPP Client
- IPP Server
- LDAP Server
- LDAPS Server
- Mail Server
- NFS Client
- NFS Server
- NIS Client
- NIS Server
- NTP Server
- POP3 Server
- POP3S Server
- Remote Administration
- Remote Synchronization
- SLP Daemon
- Samba Server
- TFTP Server
To add or remove a service, select the service from the drop down menu or highlight the service in the allowed service list, and click Add or Remove as appropriate. To add a custom service that is not listed, click on Advanced, and enter in the TCP ports, UDP ports, RPC ports, and IP protocols as appropriate with the service you wish to add to the allowed services list.
You may also protect your computer from the Internal Zone by selecting Protect Firewall from Internal Zone. You may wish to do this if you need to configure appropriate levels of security for various internal zones on a network, such as seperating the internal zone for servers and the internal zone used for clients.
Masquerading requires two interfaces: one external interface, and another interface. Network Masquerading is also known as NAT, or Network Address Translation. The external network interface recieves data of a particular protocol on a specific IP, and redirects the data to another IP address on a specified port (which may be different from the incoming port used). Masquerading may be used to provide an additional level of protection for a computer, to provide network access where only a single IP is available, or to overcome the limitations of IPV4.
To add Masquerading, select the Masquerade Networks checkbox, and click on Add to enter a redirect. You will be specifying the source network, protocol, IP, and port, followed by the IP and port you will be redirecting your data to. To remove a redirect, highlight the one you would like to remove, and click on Remove.
In this area, you can set your Broadcast configuration for all three zones; Internal, Demilitarized, and External. A broadcast is a data transmission sent to all available IP addresses on the network. A network broadcast can have varying purposes, but the most common is a computers request for an IP. The PC transmits a broadcast calling for a DHCP server to respond. The reply from the DHCP server will also be broadcast back into the network of the computer making the request. On a larger network, such transmissions from the DHCP server will be evident while you already have a connection for that reason. As such, much of this network activity should not be considered malicious, and you may wish to uncheck the box for Log Not Accepted Broadcast Packets for the appropriate zone. By default, this is checked for the Internal and Demilitarized zones, as such traffic is expected. On an external zone, by default, these broadcasts are logged.
IPsec, or Internet Protocol Security, is a standard for security at the network or packet processing layer of network communication. IPSec is useful for implementing virtual private networks (VPN's) and for remote user-level access via dial-up connections to a private network. Many VPN appliances used in corporate networks make use of IPsec to provide their desired level of security for employees accessing the network from home or elsewhere.
In this section, the checkbox next to Enabled must be selected for IPsec to be used. Click on details to choose the level of security you wish to offer interactions using IPsec; Demilitarized Zone, External Zone, or the same zone as the original source network.
In this section, you can choose the desired logging style for Accepted Packets and Not Accepted Packets. By default, only critical accepted and unaccepted packets will be logged. The options for both are Log All, Log Only Critical, and Do Not Log Any. To change the logging level, select the level desired from the drop down box for the appropriate type.
When you click next, you will be given a summary of the Start-Up options, Zone options, which interfaces have been chosen, and which services are open. Click Accept if you approve of the summary and the changes you have made; otherwise, use Back to make further changes. It is recommended that once you have accepted your changes, you go back into the Firewall section, and go to Start-Up in order to save your setting and restart your firewall. Once the Firewall has been restarted and is up and running, the changes made are finalized.