Introduction to the Firewall Rules screen

This section provides an introduction and overview of the Firewall Rules screen located at Firewall > Rules. This page lists the WAN ruleset to start with, which by default has no entries other than those for Block private networks and Block bogon networks if those options are active on the WAN interface, as shown in Figure Default WAN Rules.

Tip

Click fa-cog the to the right of the Block private networks or Block bogon networks rules to reach the WAN interface configuration page where these options can be enabled or disabled. (See Block Private Networks and Block Bogon Networks for more details.)

../_images/firewall-wan-rules.png

Default WAN Rules

Click the LAN tab to view the LAN rules. By default, the only entries are the Default allow LAN to any rules for IPv4 and IPv6 as seen in Figure Default LAN Rules, and the Anti-Lockout Rule if it is active. The anti-lockout rule is designed to prevent administrators from accidentally locking themselves out of the GUI. Click fa-cog next to the anti-lockout rule to reach the page where this rule can be disabled.

See also

For more information on how the Anti-Lockout Rule works and how to disable the rule, see Anti-lockout Rule and Anti-lockout.

../_images/firewall-lan-rules.png

Default LAN Rules

To display rules for other interfaces, click their respective tabs. OPT interfaces will appear with their descriptive names, so if the OPT1 interface was renamed DMZ, then the tab for its rules will also say DMZ.

To the left of each rule is an indicator icon showing the action of the rule: pass (fa-check), block (fa-times), or reject (fa-hand-stop-o). If logging is enabled for the rule, fa-tasks is shown in the same area. If the rule has any advanced options enabled, an fa-cog icon is also displayed. Hovering the mouse cursor over any of these icons will display text explaining their meaning. The same icons are shown for disabled rules, except the icon and the rule are a lighter shade of their original color.

Adding a firewall rule

To add a rule to the top of the list, click fa-level-up Add.

To add a rule to the bottom of the list, click fa-level-down Add.

To make a new rule that is similar to an existing rule, click fa-clone to the right of the existing rule. The edit screen will appear with the existing rule’s settings pre-filled, ready to be adjusted. When duplicating an existing rule, the new rule will be added directly below the original rule. For more information about how to configure the new rule, see Configuring firewall rules.

Editing Firewall Rules

To edit a firewall rule, click fa-pencil to the right of the rule, or double click anywhere on the line.

The edit page for that rule will load, and from there adjustments are possible. See Configuring firewall rules for more information on the options available when editing a rule.

Moving Firewall Rules

Rules may be reordered in two different ways: Drag-and-drop, and using select-and-click.

To move rules using the drag-and-drop method:

  • Move the mouse over the firewall rule to move, the cursor will change to indicate movement is possible.
  • Click and hold the mouse button down
  • Drag the mouse to the desired location for the rule
  • Release the mouse button
  • Click fa-save Save to store the new rule order

Warning

Attempting to navigate away from the page after moving a rule, but before saving the rule, will result in the browser presenting an error confirming whether or not to exit the page. If the browser navigates away from the page without saving, the rule will still be in its original location.

To move rules in the list in groups or by selecting them first, use the select-and-click method:

  • Check the box next to the left of the rules which need to be moved, or single click the rule. When the rule is selected, it will change color.

  • Click fa-anchor on the row below where the rule should be moved.

    Tip

    Hold Shift before clicking the mouse on fa-anchor to move the rule below the selected rule instead of above.

When moving rules using the select-and-click method, the new order is stored automatically.

Deleting Firewall Rules

To delete a single rule, click fa-trash to the right of the rule. The firewall will present a confirmation prompt before deleting the rule.

To delete multiple rules, check the box at the start of the rows that should be removed, then click the fa-trash Delete button at the bottom of the list. Rules may also be selected by single clicking anywhere on their line.

Disabling and Enabling Firewall Rules

To disable a rule, click fa-ban at the end of its row. The appearance of the rule will change to a lighter shade to indicate that it is disabled and the fa-ban icon changes to fa-check-square-o.

To enable a rule which was previously disabled, click fa-check-square-o at the end of its row. The appearance of the rule will return to normal and the enable/disable icon will return to the original fa-ban.

A rule may also be disabled or enabled by editing the rule and toggling the Disabled checkbox.

Rule Separators

Firewall Rule Separators are colored bars in the ruleset that contain a small bit of text, but do not take any action on traffic. They are useful for visually separating or adding notes to special parts of the ruleset. Figure Firewall Rule Separators Example shows how they can be utilize to group and document the ruleset.

../_images/firewall-rule-separators.png

Firewall Rule Separators Example

To create a new Rule Separator:

  • Open the firewall rule tab where the Rule Separator will reside
  • Click fa-plus Separator
  • Enter description text for the Rule Separator
  • Choose the color for the Rule Separator by clicking the fa-circle icon of the desired color
  • Click and drag the Rule Separator to its new location
  • Click fa-save Save inside the Rule Separator to store its contents
  • Click fa-save Save at the bottom of the rule list

To move a Rule Separator:

  • Open the firewall rule tab containing the Rule Separator
  • Click and drag the Rule Separator to its new location
  • Click fa-save Save at the bottom of the rule list

To delete a Rule Separator:

  • Open the firewall rule tab containing the Rule Separator
  • Click fa-trash inside the Rule Separator on the right side
  • Click fa-save Save at the bottom of the rule list

Rule Separators cannot be edited. If a change in text or color is required, create a new Rule Separator and delete the existing entry.

Tracking Firewall Rule Changes

When a rule is created or updated the firewall records the user’s login name, IP address, and a timestamp on the rule to track who added and/or last changed the rule in question. If the firewall automatically created the rule, that is also noted. This is done for firewall rules as well as port forwards and outbound NAT rules. An example of a rule update tracking block is shown in Figure Firewall Rule Time Stamps, which is visible when editing a firewall rule at the very bottom of the rule editing screen.

../_images/firewall-rule_timestamps.png

Firewall Rule Time Stamps