Changing the firewall policy LAN -> Internet
The default policy of DEFENDO's firewall denys direct Internet connections. The article >Firewall default policy explains how to access the Internet with DEFENDO. If - and only if - direct connections from the LAN through DEFENDO to the
Internet are required, the firewall policy has to be modified.
Required client setup
If the client IP configuration is assigned by a DHCP server you will have to verify the DHCP server's configuration. Otherwise
open the network configuration of each client PC.
Enter DEFENDO's IP as gateway (default gateway, router) and name server (DNS). Please make sure DEFENDO's LAN IP is the only
IP listed there. Remove any additional entries from both lists to avoid conflicts.
Modification of DEFENDO's firewall policy
Turn to menu item "Expert -> Firewall". Make sure the parameter "IP routing" is enabled
To grant access for a specific application, you need to know the port is uses. Please check the documentation or ask the vendor
if you don't know the required port. You can also check the firewall log of DEFENDO as restricted connections will be logged.
The requested destination port is labeled "DPT=".
If you have a DEFENDO release 5.0 and above, please proceed as follows:
- Open menu "Expert -> Firewall -> Protocols"
- You will find a number of predefined protocols with their corresponding port signatures. If you find the required protocol among them, there's no need to modify anything in here
- Otherwise please click "New..." to add a new protocol
- Now add the required signatures. The defaults for new entries (protocol tcp, sourc port range 1024-65535) are ok in most situations. You only need to enter the destination port number.
- Click "Apply" when your done adding port signatures.
Now we are going to add the required a firewall policy rule
- In the opened menu "Expert -> Firewall", click on the name of DEFENDO's internet interfacei (usually one of ippp0, adsl0 or eth1)
- The setting "Classification (Trustlevel)" of this interface should be set to "Internet (none)"
In the following examples we assume that adsl0 is the Internet interface. There are two ways to submit a rule which grants
access.
Simple way: Application may be run on any machine in the LAN and may contact either any or one specific server in the Internet.
- Change to tab "LAN -> adsl0"
- When running release 5.0 or newer, please select the predefined or previously added protocol. In release 4.2 or below you need to select the IP protocol instead (usually TCP)
- Enter the IP address of the Internet server or leave the field for the destination IP blank to grant access to any Internet server. If your DEFENDO is older than 4.2-2.5, there is no destination IP field and the rule will always grant access to any server
- Up to release 4.2 you will also have to specify the application's port number
- Finally add the rule and apply the changes
Detailed way: Only specific local machines and/or a specific Internet network may be used
- Change to tab "* -> adsl0"
- Beginning with release 5.0, please select the predefined or previously added protocol. Up to release 4.2 you need to select the IP protocol (usually TCP)
- To allow the connection for a single local machine only, fill in its IP below "Src.IP". Leave the "Netmask" blank. If in contrast any LAN IP should be allowed, fill in the local network address as "Src.IP" along with the corresponding netmask
- In release 4.2 and older, you can enter the source port here. For most TCP applications you may enter 1024:65535. Otherwise leave "Src.port" blank
- To grant access to one specific Internet server, fill in its address below "Dest.IP". Leave the field blank if connections may address any Internet server. In both cases "Netmask" has to be empty. Otherwise if you want to allow a whole destination network, please fill in the network address and its corresponding netmask respectively.
- Up to the 4.2 releases you will also have to enter the port number of the application below "Dest.port"
- Enable the NAT option
- Add the new rule and apply the changes