From → you can configure packet filter rules. You may use the abstractions provided above such as network services and network objects. Using these concepts enhances the rules flexibility and clearness, reducing the amount.
At first sight, we have five different traffic flows to set your firewall rules to them.
- From internal networks to eBox
These rules are meant to control access from internal network interfaces to services running on your eBox machine. Several eBox modules may add filtering rules for you to manage eBox services easily.
- For internal networks
These rules allow you to control access from your internal networks to the Internet, and traffic between your internal networks.
- Coming out from eBox
These rules allow you to control access from eBox to external services.
- From external networks to eBox
These rules allow you to control access from external networks to services running on your eBox machine.
- From external networks to internal networks
These rules allow you to control access from external networks to internal networks.
Take into account to the last two set of rules that it is granted access to untrusted networks to your managed networks. This may compromise your network security. As eBox secure by default policy recommends, do not modify these rules unless you know what you are doing. The figure Figure 6.1 try to make up the concept:
The deny policy for eBox firewall is a ignorance one. Every denied packet is filtered and discarded without any notification.
Every set of rules define a fixed behaviour for the traffic flows that they apply. These rules will be matched from top to the bottom, thus order is important. Each rule consists of these following fields, some of them are only available to several rule set by construction:
- Decision
Accept or deny. This explicitly accepts or denies a traffic flow.
- Source
The traffic flow origin. It may be a network object or a single IP address. This field is available for every rule set except for "Filtering rules for traffic coming out from eBox"
- Destination
The traffic flow target. It may be a network object or a single IP address. This field is available for "For internal networks", "Coming out from eBox" and "From external networks to internal networks" filtering rules.
- Service
The traffic flow service as it is described in Chapter 5. The match could be inverse one, i.e. the inverse "any" service is "none" service. This is a compulsory field, therefore in order to create a new rule, it is required to have a network service. If it does not exist, you must make up previously.
- Description
An optional description to ease the firewall rule set management.