Implicit filter rules

This screen shows that it is possible to automatically generate various IP filter rules in order to allow the use of some of the firewall’s services. If a service is enabled, the firewall will automatically create the necessary filter rules, without having to create “explicit” rules in the filter policy.

To detect and block SYN Flood attacks against the firewall’s internal services, implicit rules applying to the firewall’s internal services must be disabled and replaced with equivalent explicit rules. In this case, the firewall will generate specific logs that allow logging denial of service attempts by way of such attacks.

Rule table

The table contains the following columns:

Enabled Displays the status of the rule. Double-click to enable/disable the implicit rule.
Name Displays the name of the implicit rule. This name cannot be modified;

The following rules appear in the Name column:

  • Allow access to the PPTP server: users can contact the firewall via PPTP to access the server, if it has been enabled.
  • Allow mutual access to the administration server (port 1300) between the members of a firewall cluster (HA): this allows the different members of the HA cluster to communicate with each other.
  • Allow ISAKMP (UDP port 500) and the ESP protocol for IPsec VPN peers: IPsec VPN peers will be able to contact the firewall through both of these protocols which make it possible to secure data circulating over IP traffic.
  • Allow protected interfaces to access the firewall's DNS service (port 53): users can contact the DNS service and therefore use the DNS cache proxy if it has been enabled.
  • Block and reinitialize ident requests (port 113) for modem interfaces (dialup).
  • Block and reinitialize ident requests (port 113) for ethernet interfaces.
  • Allow protected interfaces (serverd) to access the firewall's administration server (port 1300): administrators will be able to log in via their internal networks to port 1300 on the firewall. This service is used especially by Stormshield's related tools (e.g., Stormshield Network Centralized Management).
  • Allow protected interfaces to access the firewall's SSH port: enables access to the firewall via SSH in order to log in using command lines from a host located on the internal networks.
  • Allow interfaces associated with authentication profiles (Authd) to access the authentication portal and the SSL VPN: a rule allowing access to the https service (port 443) will be created for each interface associated with an authentication profile that has enabled the captive portal. Users can then authenticate and access the SSL VPN from the networks corresponding to these interfaces.
  • Allow access to the firewall’s web administration server (WebAdmin): administrators will be able to log on to the web administration interface.

    This rule allows access to the captive portal, and therefore the web administration interface for all users connected from a protected interface. To restrict access to web administration (/admin/ directory), define one or several hosts in the System module > Configuration > Firewall administration tab. A table will allow you to restrict access to these pages at the web application level.

  • Allow "Bootp" requests with an IP address specified for relaying DHCP requests: BOOTP service (Bootstrap Protocol) requests to a DHCP server relayed by the firewall are allowed when they use an IP address specified in the configuration of the DHCP relay (option “IP address used to relay DHCP queries”). This option is used for relaying the DHCP queries of remote users through an IPsec tunnel to an internal server.
  • Allow clients to reach the firewall SSL VPN service on TCP and UDP ports: connections relating to the setup of the SSL VPN tunnel are allowed on TCP and UDP ports.
  • Allow router solicitations (RS) in multicast or directed to the firewall: if IPv6 support has been enabled on the firewall, IPv6 nodes may send router solicitations (RS) in multicast or to the firewall.
  • Allow requests to DHCPv6 server and DHCPv6 multicast solicitations: If IPv6 support has been enabled on the firewall, DHCPv6 clients may send solicitation requests to the server or DHCPv6 relay on the firewall.
  • Do not log IPFIX packets in IPFIX traffic: this rule makes it possible to not include the packets that are needed for running the IPFIX protocol in logs sent to the IPFIX collector(s).

  • Allow IGMP and PIM packets to be received for dynamic multicast routing to function: with this rule, you do not need to reject IGMP and PIM packets going to the firewall when you configure dynamic multicast routing.

The following actions may be dangerous:
  • Disabling the “Serverd” rule: in the absence of an explicit rule, may cause users to no longer have access to Stormshield's related tools using port 1300 (e.g., Stormshield Network Centralized Management).
  • Disabling the “WebAdmin” rule: you will no longer have access to the web administration interface, unless an explicit rule allows it.

Advanced configuration

Include outgoing implicit rules for hosted services (indispensable) This checkbox, selected by default, enables outgoing implicit rules for services hosted by the firewall.
Previously, this feature, which was found in earlier versions of the firmware, could only be modified in CLI.

These rules are indispensable for the proper operaion of the firewall. They need to be explicitly defined in the filter policy if this checkbox has been unselected.