Source rules

The source rules page is used to assign outbound access controls to IP addresses and networks. Each source rule associates a particular host or network with a preset or customised port rule. The page also allows default outbound access controls to be configured and logging options to be set.

When the source IP of an outbound packet originates from a host that is defined in a source rule, a check is made to ensure that the packet does not flout the port rules assigned to the host. If the packet is destined for a banned port, the packet is rejected. If the packet is destined for an allowed port, the packet is allowed.

Note - Once a packet matches a source rule, it will not be subjected to further rule matching. Source rules cannot be stacked.

The following controls are used to enter the default settings:

• Default port rule - Used to set the port rule that is applied to outbound packets originating from a source IP that has no matching source rule configured. This can be a preset or custom port rule (for more information see the help file on the Rule | ports configuration page). This value is usually set to one of the preset "catch-all" port rules, either "Allow all" or "Reject all". Selecting "Allow all" enables all hosts that are not matched by a source rule to initiate any kind of outbound communication, whilst "Reject all" prevents all outbound communication from all non-matching hosts.
• Rejection logging - Used to specify that all traffic rejected by the default or current list of source rules is logged in the firewall logs (accessible from the Logs | firewall configuration page when "SmoothRule - rejects" is chosen from the Section drop-down menu).
• Stealth mode - Used to specify that all traffic that would normally be rejected by the default port rule is actually allowed, but the event information is logged in the firewall logs (accessible from the Logs | firewall configuration page when "SmoothRule - stealth" is chosen from the Section drop-down menu).

Select appropriate values for each of the configuration controls and click the Save button.

To create a new source rule, enter the host source IP or network that the rule will be applied to into the Source IP or network text field. Choose a preset or custom port rule to be applied to the specified source from the Port rule drop-down menu. Enter a useful comment about the source rule into the Comment text field and select the Enabled tick-box control to activate the source rule.

Note 1 - To quickly block a particular internal IP, enter the host's IP address into the Source IP or network text field and choose "Reject all" from the Port rule drop-down menu.

Note 2 - Source rules that are defined for networks are always tested after those defined for single hosts.

Note 3 - To fine-tune the exact ports and services that individual or network hosts can access, create custom port rules using the Rule | ports configuration page and assign it using the Port rule drop-down menu on this page.

To remove one or more source rules, locate each rule within the Current rules list and select their adjacent Mark tick-box controls. Click the Remove button.

To edit a particular source rule, locate it within the Current rules list and select its adjacent Mark tick-box. Click the Edit button to populate the configuration controls in the Add a new rule region with the rule's current configuration values. Alter the configuration values as necessary, and click the Add button.

Note - Failure to click the Add button will result in the loss of the source rule.

Group rules

The group rules page is used to assign outbound access controls to authenticated groups of users. Each group rule associates a particular authenticated group of users with a preset or customised port rule.

To enable outbound access control using group rules, the authentication service must be activated and operating correctly. Select the Enable authenticated groups tick-box control and click the Save button at the bottom of the page.

To associate a particular authenticated user group with a port rule, locate the authentication group in the Group rules region and choose its port rule from the adjacent Port rule drop-down menu. Click the Save button to record any configuration changes made.

Note - Group rules cannot be enforced in all circumstances. If a user has not actively authenticated themselves (using the SSL Login page or by some other authentication method) the user is unknown to the system and group rules cannot be applied. In this case, only source rules will be applied. Group rules are often more suitable for allowing access to ports and services - in such situations, users have a reason to pro-actively authenticate themselves (so that they can gain access to an outbound port or service).

Port rules

The ports page is used to define lists of outbound destination ports and services that should be blocked or allowed.

Up to 20 different lists of port rules can be created.

Port rules are used to create lists of outbound communication rules that can be subsequently applied to individual hosts, networks and authenticated groups of users to allow or block access to particular ports and services. Port rules can operate in two different modes:

• Restrictive - Reject access to only the listed ports.
• Permissive - Allow access to only the listed ports.

A further property of a port rule list is its ability to block certain P2P (Peer to Peer) applications. This feature works in addition to the ability to block specific ports. P2P traffic can be difficult to control because many programs have techniques for evading standard port blocking rules. Instead of blocking by port numbers, SmoothRule is able to examine the passing traffic and look at its content to determine if a block should be applied. This means that the overall blocking policy does not have to be strict to prevent P2P abuse.

Before a port list can have ports added to it, it must first be created. Select an "Empty" port list from the Port rules drop-down menu and click the Select button. Enter a name for the port rule list into the Port rule name text field and click the Save button.

Next, enter appropriate values into the following configuration controls:

• Reject only listed ports - Rejects outbound access to only the ports listed in the port rules list.
• Allow only listed ports - Allows outbound access to only the ports listed in the port rules list.
• Rejection logging - When enabled this option will add messages to the system firewall logs (SmoothRule rejects section) detailing the requested connection prior to it being rejected.
• Stealth mode - If a port rule is in this mode, it will never actually block any traffic. Instead, any packet that would have been blocked will only be logged into the SmoothRule stealth section. This feature is useful if you want to see what effect a set of rules will have without actually enforcing the blocks.
• Block eDonkey - Blocks traffic if it appears to be from the eDonkey family of P2P (Peer to Peer) applications.
• Block KaZaA - Blocks traffic if it appears to be from the KaZaA P2P family of P2P (Peer to Peer) applications.
• Block Gnutella - Blocks traffic if it appears to be from the Gnutella family of P2P (Peer to Peer) applications.
• Block DirectConnect - Blocks traffic if it appears to be from the DirectConnect family of P2P (Peer to Peer) applications.
• Block BitTorrent - Blocks traffic if it appears to be from the BitTorrent family of P2P (Peer to Peer) applications.

Click the Save button to record all configuration changes made to the above controls.

Once a port rule set has been created and selected, it is possible to assign protocols and ports to it. These protocols and ports will either be rejected or allowed dependent on whether the port rule set is operating in 'Reject' or 'Allow' mode (indicated by the Reject only listed ports or Allow only listed ports radio-buttons).

The following configuration controls are used to add protocols and ports to a port rules set:

• Protocol - Used to select the protocol the rule will affect.
• Service - Used to select a well known service / port the rule will affect. If the 'User defined' option is selected, a user defined port number can be defined in the User defined port or range text field.
• User defined port or range - Used to enter a numeric port number if the 'User defined' option is selected in the Service drop-down menu.
• Comment - A text-field used to assign a helpful message to this rule.
• Enabled - Determines whether rule is active within the port rule set.

To add protocols and ports to a port rule set, enter appropriate values into each of these configuration controls and click the Add button. The Enabled tick-box must be selected for the port rule to be activated within the port rule set.

Note 1 - It is strongly advised that you allow DNS (53) in order that the server on ORANGE be able to make DNS lookups. Failure to setup your rules in this way will prevent your host in the ORANGE network from accepting external connections.

Note 2 - A typical scenario might be to create one restrictive port list for normal employees, for example putting only HTTP (80) and HTTPS (443), and DNS (53) if you are using an external DNS server, into a list of ports to allow. Other, more trusted, users might only be blocked from accessing chat services, whilst other source IP addresses might be blocked entirely and have no Internet access. The administrators, naturally, will want completely unrestricted access.

External mail servers

The external mail servers page is used to define a list of external email (SMTP) servers that should always be accessible to internal network hosts. This is useful for allowing access to specific mail servers only, by using regular port rules that prevent SMTP (port 25) traffic.

To create an external mail rule, add the IP address of the mail server to the Destination IP and enter a useful comment about the rule into to Comment text field. Select the Enabled tick-box control to activate the rule and click the Add button.

To remove one or more external mail rules, locate each rule within the Current rules list and select their adjacent Mark tick-box controls. Click the Remove button.

To edit a particular external mail rule, locate it within the Current rules list and select its adjacent Mark tick-box. Click the Edit button to populate the configuration controls in the Add a new rule region with the rule's current configuration values. Alter the configuration values as necessary, and click the Add button.

Note - Failure to click the Add button will result in the loss of the external mail rule.