Implicit filter rules

This screen shows that it is possible to automatically generate various IP filter rules in order to allow the use of some of the firewall’s services. If a service is enabled, the firewall will automatically create the necessary filter rules, without having to create “explicit” rules in the filter policy.

The mechanism that detects and blocks SYN Flood attacks that target hosts in the internal network can be extended to protect the firewall’s internal services. In this case, the firewall will generate specific logs that allow logging denial of service attempts by way of such attacks. To enable this additional protection, implicit rules to the firewall's internal services must be disabled and replaced with equivalent explicit rules.

Rule table

The table contains the following columns:

On Status of the rule:
Enabled/ Disabled: Click on the field to enable/disable the creation of one or several implicit riles.
The rule Allow external (unprotected) interfaces (Authd_ext) to access the authentication portal and the SSL VPN has been disabled by default.
Name Name of the implicit rule: this name cannot be modified.

The following rules appear in the “Name” column:

  • Allow interfaces associated with authentication profiles (Authd) to access the authentication portal and the SSL VPN: a rule allowing access to the https service (port 443) will be created for each interface associated with an authentication profile that has enabled the captive portal. Users can then authenticate and access the SSL VPN from the networks corresponding to these interfaces.
  • Block and reinitialize ident requests (port 113) for modem interfaces (dialup).
  • Block and reinitialize ident requests (port 113) for ethernet interfaces.
  • Allow protected interfaces to access the firewall's DNS service (port 53): users can contact the DNS service and therefore use the DNS cache proxy if it has been enabled.
  • Allow mutual access to the administration server (port 1300) between the members of a firewall cluster (HA): this allows the different members of the HA cluster to communicate with each other.
  • Allow access to the PPTP server: users can contact the firewall via PPTP to access the server, if it has been enabled.
  • Allow protected interfaces (serverd) to access the firewall's administration server (port 1300): administrators will be able to log on via their internal networks to port 1300 on the firewall. This service is used especially by Stormshield Network Real-Time Monitor.
  • Allow protected interfaces to access the firewall's SSH port: allows opening access to the firewall via SSH in order to log on using command lines from a host located on the internal networks.
  • Allow ISAKMP (UDP port 500) and the ESP protocol for IPSec VPN peers: IPSec VPN peers will be able to contact the firewall through both of these protocols that allow securing data circulating over IP traffic.
  • Allow access to the firewall’s web administration server (WebAdmin): administrators will be able to log on to the web administration interface.

    This rule allows access to the captive portal, and therefore the web administration interface for all users connected from a protected interface. To restrict access to web administration (“/admin/” directory), define one or several hosts in the menu System\ Configuration\ Firewall administration tab. A table will allow you to restrict access to these pages at the web application level.

  • Allow "Bootp" requests with an IP address specified for relaying DHCP requests: BOOTP service (Bootstrap Protocol) requests to a DHCP server relayed by the firewall are allowed when they use an IP address specified in the configuration of the DHCP relay (option “IP address used to relay DHCP queries”). This option is used for relaying the DHCP queries of remote users through an IPSec tunnel to an internal server.
  • Allow clients to reach the firewall SSL VPN service on the HTTPS port: Connections relating to the setup of the SSL VPN tunnel are allowed on the HTTPS port.
  • Allow router solicitations (RS) in multicast or directed to the firewall:
    If IPv6 support has been enabled on the firewall, IPv6 nodes may send router solicitations (RS) in multicast or to the firewall.
  • Allow requests to DHCPv6 server and DHCPv6 multicast solicitations: If IPv6 support has been enabled on the firewall, DHCPv6 clients may send solicitation queries to the server or DHCPv6 relay on the firewall.
  • Do not log IPFIX packets in IPFIX traffic: this rule makes it possible to not include the packets that are needed for running the IPFIX protocol in logs sent to the IPFIX collector(s).

The following actions may be dangerous:

  • Disabling the “Serverd” rule: in the absence of an explicit rule, may cause users to no longer have access to tools using port 1300, namely Stormshield Network RealTime Monitor, GlobalAdmin, Stormshield Network Centralized Management and Stormshield Network Event Analyzer.
  • Disabling the “WebAdmin” rule: you will no longer have access to the web administration interface, unless an explicit rule allows it.

Advanced properties

Include outgoing implicit rules for hosted services (indispensable) This checkbox, selected by default, enables outgoing implicit rules for services hosted by the firewall.
Previously, this feature, which was found in earlier versions of the firmware, could only be modified in CLI.

These rules are indispensable for the proper operaion of the firewall. They need to be explicitly defined in the filter policy if this checkbox has been unselected.