Zone Bridging

The zone bridging page is used to define permissible communication between pairs of network zones. By default, each network zone is isolated from all others. Zone bridges can be used to create one-way or bi-directional access between subnets, hosts and ports - enforcing the use of a specific network protocol if necessary.

The following configuration controls are used to create zone bridging rules:

• Source interface - The interface that access is permitted from.
• Destination interface - The interface that access is permitted to.
• Bi-directional - Determines that the bridging rule is implemented symmetrically, if selected. I.e. the source interface can be the destination interface and vice versa.
• Protocol - The network protocol permitted by the bridging rule including All, UDP, TCP, UDP & TCP, ICMP, GRE, ESP or AH.
• Source IP - The source IP, IP range or subnet range that access is permitted from. See the IP address definitions section of this help file for information regarding IP address entry.
• Destination IP - The destination IP, IP range or subnet range that access is permitted to. See the IP address definitions section of this help file for information regarding IP address entry.
• Destination port - The destination port that access is permitted to. If 'User defined' is selected and the User defined text-field is blank, all ports for the relevant protocol will be permitted.
• User defined port or range - Enables a user defined destination port to be defined in numeric format. If this field is blank, all ports for the relevant protocol will be permitted.
• Comment - A text-field used to assign a helpful message describing the bridging rule.
• Enabled - Determines whether the bridging rule is currently active.

To create a zone bridging rule, enter appropriate configuration values into each of the configuration controls and click the Add button. The Enabled tick-box must be selected for the bridging rule to be enforced by the firewall.

Zone bridging rules are listed in the Current rules region in table format, with each of the configuration values displayed in appropriately named columns

To remove one or more zone bridging rules, locate each rule within the Current rules list and select their adjacent Mark tick-box controls. Click the Remove button.

To edit a particular zone bridging rule, locate it within the Current rules list and select its adjacent Mark tick-box. Click the Edit button to populate the configuration controls in the Add a new rule region with the bridging rule's current configuration values. Alter the configuration values as necessary, and click the Add button.

Note - Failure to click the Add button will result in the loss of the zone bridging rule.

Typically this would be used to allow a publicly accessible web server to connect to a network resource on an internal private network. For example, a web server running a webmail service from the DMZ may require mail retrieval from a mail server located in a protected network.

All zone bridging rules created from a DMZ should be carefully considered, as each bridging rule decreases the security that is guaranteed by complete isolation of internal networks. If zone bridging rules of this type are required, it is recommended that bridges are made to individual IP addresses, using a specific protocol and port combination. In addition, the destination port should ideally be a non-standard port for the particular service required. It is strongly recommended that zone bridging rules using the UDP protocol are not created from a DMZ.

Single or multiple IP addresses can be specified in a number of different manners:

• IP address - An identifier for a single network host, written as quartet of dotted decimal values, e.g. "192.168.10.1"
• IP address range - Two IP addresses that define an inclusive range of consecutive IP addresses, e.g. "192.168.10.1-192.168.10.40".
• IP subnet [dotted decimal] - An arbitrary IP address and network mask that specifies a subnet range of IP addresses, e.g. "192.168.10.0/255.255.255.0" defines a subnet range of IP addresses from "192.168.10.0" to "192.168.10.255".
• IP subnet [network prefix] - An arbitrary IP address and network mask in network prefix notation, e.g. "192.168.10.0/24" defines a subnet range of IP addresses from "192.168.10.0" to "192.168.10.255".

Group Bridging

The group bridging page is used to define the network zones that are accessible to authenticated groups of users. By default, authenticated users may only access systems within their current network zone, or that are allowed by any zone bridging rules that are active. Group bridging rules allow authenticated users from any network zone to access specific IP addresses, IP ranges, subnets and ports within a specified network zone - enforcing the use of a specific network protocol if necessary.

The following configuration controls are used to create group bridging rules:

• Destination interface - The interface that access is permitted to.
• Destination IP - The destination IP, IP range or subnet range that access is permitted to. See the IP address definitions section of this help file for information regarding IP address entry.
• Protocol - The network protocol permitted by the bridging rule including All, UDP, TCP, UDP & TCP, ICMP, GRE, ESP or AH.
• Destination port - The destination port or port range that access is permitted to. If 'User defined' is selected and the User defined text-field is blank, all ports for the relevant protocol will be permitted.
• User defined - Enables a user defined destination port or range of ports to be defined in numeric format. If this field is blank, all ports for the relevant protocol will be permitted.
• Comment - A text-field used to assign a helpful message describing the bridging rule.
• Enabled - Determines whether the bridging rule is currently active.

To create a group bridging rule, first select the authentication group that the bridging rule should be applied to using the Groups drop-down menu. Click the Select button.

Next, enter appropriate configuration values into each of the configuration controls and click the Add button. The Enabled tick-box must be selected for the bridging rule to be active.

To view existing group bridging rules, select an authentication group from the Groups drop-down menu and click the Select button. All bridging rules for the selected group are displayed in the Current rules region.

To remove one or more group bridging rule, select the authentication group that the rules have been applied to using the Groups drop-down menu and click the Select button. Locate each bridging rule to be removed in the Current rules region and click their adjacent Mark tick-box controls. Click the Remove button.

To edit a particular group bridging rule, select the authentication group that the rule was applied to using the Groups drop-down menu and click the Select button. Locate the rule to be edited within the Current rules list and select its adjacent Mark tick-box. Click the Edit button to populate the configuration controls in the Add a new rule region with the bridging rule's current configuration values. Alter the configuration values as necessary, and click the Add button.

Note - Failure to click the Add button will result in the loss of the group bridging rule.

Group bridging uses the Core authentication mechanism, meaning that users must be pre-authenticated before group bridging rules can be enforced by the firewall. Users may authenticate themselves using the authentication system's SSL Login mechanism, either automatically when they try to initiate outbound web access or manually by browsing to the secure SSL Login page.

Authentication may also be provided by any other mechanism utilised elsewhere in the system. For more information regarding the authentication system, refer to the help pages contained on the Auth | settings configuration page.

Single or multiple IP addresses can be specified in a number of different manners:

• IP address - An identifier for a single network host, written as quartet of dotted decimal values, e.g. "192.168.10.1"
• IP address range - Two IP addresses that define an inclusive range of consecutive IP addresses, e.g. "192.168.10.1-192.168.10.40".
• IP subnet [dotted decimal] - An arbitrary IP address and network mask that specifies a subnet range of IP addresses, e.g. "192.168.10.0/255.255.255.0" defines a subnet range of IP addresses from "192.168.10.0" to "192.168.10.255".
• IP subnet [network prefix] - An arbitrary IP address and network mask in network prefix notation, e.g. "192.168.10.0/24" defines a subnet range of IP addresses from "192.168.10.0" to "192.168.10.255".

IP Block

The IP block page is used to create rules that drop or reject traffic originating from single or multiple IP addresses. Exceptions can also be created to prevent blocking of certain IP addresses. IP blocking is primarily intended to block hostile hosts from the external network. However, it is sometimes useful to use this feature to block internal hosts - for example, if an internal system has been infected by a virus.

The following configuration controls are used to create IP block rules:

• Source IP or network - The source IP, IP range or subnet range of IP addresses affected by this IP block rule. See the IP address definitions section of this help file for information regarding IP address entry.
• Drop packet - This will cause any request from the source IP or network to be completely ignored. The effect is similar to disconnecting the appropriate interface from the network.
• Reject packet - This will cause an "ICMP Connection Refused" message to be sent back to the originating IP, and no communication will be possible.
• Exception This setting will always allow the source IPs specified in the Source IP or Network text field to communicate, regardless of all other IP block rules. Exception block rules are typically used in conjunction with other IP block rules, for example - where one IP block rule drops traffic from a subnet range of IP addresses, and another IP block rule creates exception IP addresses against it.
• Log - This will cause all activity from this IP to be logged.
• Comment - A text-field used to assign a helpful message describing the IP block rule.
• Enabled - Determines whether the IP block rule is currently active.

To create an IP block rule, enter appropriate configuration values into each of the configuration controls and click the Add button. The Enabled tick-box must be selected for the IP block rule to be enforced by the firewall.

Note - It is not possible for an IP block rule to drop or reject traffic between network hosts that share the same subnet. Such traffic is not routed via the firewall, and therefore cannot be blocked by it. Viewing current IP block rules

IP block rules are listed in the Current rules region in table format, with each of the configuration values displayed in appropriately named columns

To remove one or more IP block rules, locate each rule within the Current rules list and select their adjacent Mark tick-box controls. Click the Remove button.

To edit a particular IP block rule, locate it within the Current rules list and select its adjacent Mark tick-box. Click the Edit button to populate the configuration controls in the Add a new rule region with the IP block rule's current configuration values. Alter the configuration values as necessary, and click the Add button.

Note - Failure to click the Add button will result in the loss of the IP block rule.

Single or multiple IP addresses can be specified in a number of different manners:

• IP address - An identifier for a single network host, written as quartet of dotted decimal values, e.g. "192.168.10.1"
• IP address range - Two IP addresses that define an inclusive range of consecutive IP addresses, e.g. "192.168.10.1-192.168.10.40".
• IP subnet [dotted decimal] - An arbitrary IP address and network mask that specifies a subnet range of IP addresses, e.g. "192.168.10.0/255.255.255.0" defines a subnet range of IP addresses from "192.168.10.0" to "192.168.10.255".
• IP subnet [network prefix] - An arbitrary IP address and network mask in network prefix notation, e.g. "192.168.10.0/24" defines a subnet range of IP addresses from "192.168.10.0" to "192.168.10.255".

Subnets

The subnets page is used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway.

The following configuration controls are used to create subnet rules:

• Network - An arbitrary IP address that specifies the a part of the network ID when combined with the Netmask value, e.g. "192.168.10.0".
• Netmask - A value used to identify the network ID from the host ID of an arbitrary IP address, e.g. "255.255.255.0"
• Gateway - The IP address of the gateway device that bridges the local network to the subnet specified by the Network and Netmask.
• Comment - A text-field used to assign a helpful message describing the subnet rule.
• Enabled - Determines whether the subnet rule is currently active.

To create a subnet rule, enter appropriate configuration values into each of the configuration controls and click the Add button. The Enabled tick-box must be selected to activate routing to the specified subnet.

Subnet rules are listed in the Current rules region in table format, with each of the configuration values displayed in appropriately named columns

To remove one or more subnet rules, locate each rule within the Current rules list and select their adjacent Mark tick-box controls. Click the Remove button.

To edit a particular subnet rule, locate it within the Current rules list and select its adjacent Mark tick-box. Click the Edit button to populate the configuration controls in the Add a new rule region with the subnet rule's current configuration values. Alter the configuration values as necessary, and click the Add button.

Note - Failure to click the Add button will result in the loss of the subnet rule.

Note - The web proxy must be restarted to make it aware of any changes made to subnet rules.

Advanced Networking Features

The advanced page is used to configure advanced network and traffic auditing parameters.

The following configuration controls are used to set advanced networking features:

• Block ICMP ping broadcasts - Prevent the system responding to broadcast ping messages, from all network zones (including external). The effects of a broadcast ping-based Denial of Service attack can be prevented by enabling this control.
• Block ICMP ping - Prevent the system responding to normal ping messages, from all network zones (including external). This will effectively "hide" the machine from ICMP pings, but this can also make connectivity problems more difficult to diagnose.
• Block SYN+FIN packets - SYN+FIN scanning is a technique used to "passively" scan systems, which results in large numbers of log entries being generated. SmoothWall systems are not vulnerable to this type of scan - this option is provided so that such scan packets are automatically discarded without being logged.
• Enable SYN cookies - Defends the system against SYN Flood attacks. A SYN Flood attack is where a huge number of connection requests (SYN packets) are sent to a machine in the hope that it will be overwhelmed. The use of SYN cookies is a standard defence mechanism against this type of attack, the aim being to avoid a Denial of Service (DoS) situation where the machine is too busy to answer legitimate requests.
• Enable TCP timestamps - This option enables TCP timestamps (RFC1323) to improve TCP performance on high speed links.
• Enabled selective ACKs - This option enables selective ACKs (RFC2018) to improve TCP performance when packet loss is high.
• Enable window scaling - TCP window scaling is another mechanism for improving the performance of TCP on high speed links.
• Enable ECN - Explicit Congestion Notification is a mechanism for network congestion avoidance. Whilst effective, it requires communicating hosts to support it, and some routers are known to drop packets marked with the ECN bit. For this reason, this feature is disabled by default.
• Block and ignore IGMP packets - This option blocks and ignores multicast-reporting IGMP packets. Such packets are harmless, and are most commonly observed when using cable modems to provide external connectivity. If your logs contain a high volume of spurious IGMP entries, enable this option to ignore IGMP packets without generating log entries.
• Block and ignore multicast traffic - Some ISPs configure their users to receive multicast messages on network address 224.0.0.0. Enabling this option will block such messages and prevent them generating large volumes of spurious log entries.
• Connection tracking table size - The system's connection tracking table is used to store information about all connections known to the system. This includes NATed sessions, and traffic passing through the firewall. The value entered in this field determines the table's maximum size. In operation, the table is automatically scaled to an appropriate size within this limit, according to the number of active connections and their collective memory requirements. Occasionally, the default size (which is set according to the amount of memory) is insufficient - use this field to configure a larger size.
• SYN backlog queue size - This option sets the maximum number of requests which may be waiting in a queue to be answered. The standard value for this setting is usually adequate, but may reduce connection problems for an extremely busy proxy service.

To activate a particular advanced networking feature, select its tick-box in the Advanced networking features region. Click the Save button.

Traffic auditing is a means of recording extended traffic logs for the purpose of analysing the different types of incoming, outgoing and forwarded traffic:

• Direct incoming traffic - Log all inbound traffic from the external network.
• Direct outgoing traffic - Log all outbound traffic to the external network.
• Forwarded traffic - Log all port-forwarded, inbound traffic.

To activate a traffic auditing feature, select its tick-box in the Traffic auditing region and click the Save button.

All traffic destined for the firewall can be dropped on a specified internal interface. This feature is useful for preventing completely untrusted machines (such as hosted servers) from having any contact with the firewall.

To drop all direct traffic on a particular internal interface, select its tick-box control in the Drop all traffic on internal interfaces region. Click the Save button.

Internal Aliases

The internal aliases page is used to create aliases on internal network interfaces, thus enabling a single physical interface to route packets between IP addresses on a 'virtual' subnet - without the need for physical switches.

Normal use of this feature is not recommended for the following reasons:

• No physical separation - Internal aliases should not be considered as a substitute for physically separating multiple networks. Network users can join a logical subnet simply by changing their IP address.
• No DHCP service - The DHCP server cannot serve a logical subnet, as it is impossible for it to know which subnet (physical or logical) that the client should be on.
• No direct DNS or proxy access - The DNS proxy and web proxy services cannot be accessed by hosts on a logical subnet. Requests for such services must be routed via the IP address of the physical interface - this is not the case when an alias is in use.

The following configuration controls are used to create subnet rules:

• Interface - The physical interface on which the internal alias will be created.
• IP address - An arbitrary IP address that specifies the a part of the network ID when combined with the Netmask value, e.g. "192.168.10.0".
• Netmask - A value used to identify the network ID from the host ID of an arbitrary IP address, e.g. "255.255.255.0"
• Comment - A text-field used to assign a helpful message describing the internal alias rule.
• Enabled - Determines whether the internal alias rule is currently active.

To create an internal alias, first choose the physical interface for the alias using the Interface drop-down menu. Enter an IP address and network mask in the IP address and Netmask fields to define a virtual subnet. Enter a useful description in the Comment text-field and select the Enable tick-box to activate the internal alias rule.

To remove one or more internal alias rule, locate each rule in the Current rules region and select their adjacent Mark tick-box controls. Click the Remove button.

To edit a particular internal alias rule, locate it within the Current rules list and select its adjacent Mark tick-box. Click the Edit button to populate the configuration controls in the Add a new rule region with the internal alias rule's current configuration values. Alter the configuration values as necessary, and click the Add button.

Note - Failure to click the Add button will result in the loss of the internal alias rule.