###############################################
Atomic Ossec Firewall Configuration
###############################################


How the Firewall Works
======================

The AEO stateful packet inspection firewall works much like other firewalls. It inserts rules into the Linux kernel which govern how the kernel will handle network traffic. All firewalls work in a "first match wins" manner. That means rules are checked in order, and the first rule to apply "wins". For example, if you have two firewall rules in this order:

   1. Allow traffic on port 80
   
   2. Block all traffic
   
   
Lets say you have a connection comes in on port 80. The firewall will run through the rules in the order you configure. In the example above, the first rule says to allow traffic on port 80. This connection is to port 80, so the rule will match and the traffic will be allowed and processing will stop. There's nothing else for the firewall to do, its allowed the traffic so its done.

However, lets say in the example above if a packet comes in on port 23. The firewall will run through the rules again and this time rule 1 will not match. This is a request to access port 23, not port 80. So processing will continue. Moving on to rule 2, this rule says to block all traffic. So, this rule will match, because all traffic means all traffic, including this request to port 23. Therefore this rule will match, the firewall will block the request, and processing will stop because there's nothing else to do as the connection was blocked.

Here's another example. Let's say your firewall rules are in this order:

   1. Block all traffic
   
   2. Allow traffic on port 80
   
 
In this case, if a connection comes in on port 80 it will be blocked. Even though rule #2 says to allow it, it will be blocked. Lets review why.

When the request comes in, the firewall looks at its rule. Rule #1 says to block all traffic, so it blocks all traffic. And as the traffic has been blocked, there's nothing else to do. This is an important mistake, because even though there is a later rule that says to allow traffic on port 80, rule #2 will never match anything, because rule 1 matched first, blocked the traffic and processing stopped. Rules process in order, the first match always wins.

**This is why firewall rules are called rules.** They aren't configuration options, they are strict rules and order always matter. If a request matches a rule, that rule applies as long as no other rule before it applies. Remember, rules are processed in order, 1, 2, 3, 4, etc. When a match occurs, action happens and if that action is to block or allow something, it doesn't matter what any later rules may be, the currently matching rule always "wins".

This is normal behaviour for all firewalls. All firewalls behave this way. Rules are processed in order. Therefore, **the order of rules is the most important thing to how a firewall will behave.** Make sure you understand the order of your rules to ensure that they are performing as you expect. Most firewall rule problems are due to order.


---------

Firewall Log Messages
=====================

For more information about firewall log messages, please see this `article`_

.. _article: logs.html

-------------

Firewall Configuration via the Web Console
==========================================

To access the  firewall configuration:

   1. Log into the AEO Web Console.
   
   2. Click on Hub Configuration
   
   3. Select 'Firewall' menu option


   
Basic Firewall Policy
======================
   
   **Enable AWP Network Firewall**
      * Enable the AWP firewall Default:[yes] 

   **Enable IPSET Firewall Detection**
      * Enable detection for Ipset firewall support. Note: This only detects support for ipsets, the kernel must support the functionality in order to become available. Default:[yes]     
   
   **Enable IPv6 Networking**
      * Enable IPv6 Networking. Note: This just activates/deactivates the functionality in the kernel. Default:[yes]

   **Flush ESTABLISHED,RELATED rules on denylist updates**
      * Clear the tracked connection table on a denylist update. Established connections may be disrupted when this is enabled. Default:[no]

   **Enable AWP Network Firewall IPS**
      * Enable the AWP firewall IPS. Default:[yes]

   **Enable AWP Network Firewall IPS event logging**
      * Enable the AWP firewall. Default:[yes]

   **Inbound TCP Services**
      * Basic list of allowed inbound TCP services, comma delimited. Example: 22,25,80 Default:[no]

         * Default: AEO does not block any ports, meaning all ports are open. Ports are only closed if the user defines them via this setting. 
         * Example: 22,21,25,53,80,30001
         * Ranges are supported with the : (colon) delimiter		 
         * Additional Options: 		 
            * no - Setting this to "no" will remove all blocks, and will allow all TCP ports to be accessed. Setting this to "" (blank) will    block all inbound access to TCP ports.			
            * (blank) - removing everything from this field and leaving it blank will all inbound access to TCP ports.

      
         * If you use a control panel, some vendors provide a list of recommended ports you should have open for your control panel. The following links are to those vendors websites. Any questions about these recommended ports should be directed to the respective vendor.
		 
            * `Cpanel Ports`_ 
			
               .. _Cpanel Ports: https://docs.cpanel.net/knowledge-base/general-systems-administration/how-to-configure-your-firewall-for-cpanel-services/
			   
            * `Webadmin Ports`_
			
               .. _Webadmin Ports: http://www.webmin.com/firewall.html
			   
            * `Parallels Plesk Ports`_
			
               .. _Parallels Plesk Ports: https://docs.plesk.com/en-US/12.5/administrator-guide/plesk-administration/ports-used-by-plesk.64950/
			   
            * `DirectAdmin Ports`_
			
               .. _DirectAdmin Ports: https://docs.directadmin.com/operation-system-level/securing/firewall.html
			   
         
   **FW_INBOUND_UDP_SERVICES**
      * Basic list of allowed inbound UDP services, comma delimited. Example: 53,515 Default:[no]
	  
         * Default: AEO does not block any ports, meaning all ports are open. Ports are only closed if the user defines them via this setting. 
		 
         * Example: 22,21,25,53,80 

      * Setting this to "no" will remove all blocks, and will allow all UDP ports to be accessed. Setting this to (blank) will block all inbound access to UDP ports. 
		

   **Outbound TCP Services**

      * Basic list of allowed outbound TCP services, comma delimited. Example: 25,80 Default:[no]
	  

   **Outbound UDP Services**
   
      * Basic list of allowed outbound UDP services, comma delimited. Example: 53,1514 Default:[no]
	  
	  
.. note:: At a minimum, to use AEO you will need to ensure that *port 30001/tcp* is open inbound to your system for the UI. If you use a control panel such as Plesk or cPanel, please check with your provider for their port requirements and adjust the settings in the Atomic UI as appropriate

   **Apply global accesslist to firewall**

      * This allows you to apply the global accesslist to the firewall. This means any host on the global accesslist will be able to connect to any port, at any rate and as many times as they want. Accesslisted hosts are automatically not shunned. There is no need to activate this to prevent shunning of accesslisted hosts, this simply disables the firewall for accesslisted systems. Default:[yes]

   
   **Apply global accesslist to firewall for hostnames**

      * This allows you to apply the global accesslist to the firewall using hostnames. This means any host on the global accesslist will be able to connect to any port, at any rate and as many times as they want. Accesslisted hosts are automatically not shunned. There is no need to activate this to prevent shunning of accesslisted hosts, this simply disables the firewall for accesslisted systems. Default:[no]
	  
	  
   **Log accesslisted connections from the FW_DYN_ACCESSLIST**
   
      * This logs if connections or packets are accepted if they are on the accesslist. Default:[no]
	  
	  
   **Log accesslisted connections**
   
      * This logs if connections or packets are accepted if they are on the accesslist. Default:[no]
	  
	  
   **Rate Limit TCP and UDP connections**
   
      * This allows you to limit the rate of connections to TCP and UDP ports, as well as the maximum number of connections a single IP can have to a port. This is configured in the /etc/asl/firewall/rate-limit-tcp file for TCP, and /etc/asl/firewall/rate-limit-udp for UDP. Default:[no]
      

   **Log Packets dropped by rate limiter**

      * This logs if packets or connections are dropped when the Rate Limit option above is used. Default:[yes]
.. note:: Rate limit TCP and UDP connection option must be set to [yes] for this option to enable


   **Outbound SMTP Access Control List (ACL)**
   
      * Outbound MTA policy, enabling this rule class will only allow outbound tcp/25,465,587 connections for users in the access list /etc/asl/firewall/mta-output-acl Default:[no]
      
	  
   **Outbound DNS Access Control List (ACL)**

      * Outbound DNS policy, enabling this rule class will only allow outbound DNS connections for users in the access list /etc/asl/firewall/dns-output-acl Default:[no]

   **Outbound NTP Access Control List (ACL)**
   
      * Outbound NTP policy, enabling this rule class will only allow NTP connections for users in the access list /etc/asl/firewall/ntp-output-acl Default:[no]
	  
	  
   **Outbound RDATE Access Control List (ACL)**
   
      * Outbound RDATE policy, enabling this rule class will only allow RDATE connections for users in the access list /etc/asl/firewall/rdate-output-acl Default:[no]
	  
	  
   **Plesk Update policy**
   
      * Enable/Disable Plesk keyserver update firewall policy. Default:[no]


   **Spamassassin Update policy**

      * Enable/Disable Spamassassin update firewall policy for support packages DCC, Razor, and Pyzor. Default:[no]

Port Knocking
============== 
   
   **Portknocking Protection Engine**
   
      * Enable/Disable the portknocking protection engine. Default:[no]
	  
      .. note:: Please read the `portknocking`_ documentation on this feature before using it. This will require the use of a special client or telnet sequence to open the port. 
	  
      .. _portknocking: portknocking.html
	  
	  
   **Simple Portknocking Protection Engine**
   
      * Enable/Disable the use of simple portknocking protection. Default:[no]
	  
	  
   **Log: Simple Portknocking Protection Knock**
   
      * Enable/Disable logging of the knock packet. Default:[yes]
	  
	  
   **Log: Simple Portknocking Protection Allowed**
   
      * Enable/Disable logging of the allowed knock connection. Default:[yes]
	  
	  
   **Advanced Portknocking**
   
      * Enable/Disable the use of advanced Simple Packet Authentication (SPA) portknocking protection. This uses One Time Passwords, which limits the knock to one per minute (because of the epoch_min). Default:[no]
	  
	  
   **Log: Advanced Portknock Knock**
   
      * Enable/Disable logging of the knock packet. Default:[yes]
	  
	  
   **Log: Advanced Portknock Allowed**
   
      * Enable/Disable logging of the allowed knock connection. Default:[yes]

Denylists
==============


   **Denylist: Spamhaus (LASSO)**
   
      * Enable/Disable the Spamhaus Lasso denylist. Default:[no]
	  
      .. note:: This requires that FW_LASSO be enabled to actually block any IPs on the Spamhaus Lasso blacklist.
	  
	**Log: Spamhaus Denylist (LASSO)**

      * Enable/Disable the logging of Spamhaus Lasso Denylist IPs that are blocked. Default:[yes]

   **FW_ELASSO**
   
      * Enable/Disable the `Spamhaus`_ ELasso blacklist, an extension of the LASSO list, this includes subnet blocks allegedly controlled by cyber criminals (according to Spamhaus). Default: no

      .. _Spamhaus: https://www.spamhaus.org/

	  
      .. note:: This is a third party list not operated by Atomicorp.
	  
	**FW_ELASSO_LOG**
   
      * Enable/Disable the logging of Spamhaus Lasso Blacklist IPs that are blocked. Default: yes      	  
	  
      .. note:: This requires that FW_ELASSO be enabled to actually block any IPs on the Spamhaus Lasso blacklist. 
	  
	  
   **Denylist: C.I. Army**
   
      * Enable/Disable the `C.I. Army blacklist`_. The Collective Intelligence blacklist is a community blacklist of known malicious actors. It is updated weekly. Default: no
	  
      .. _C.I. Army blacklist: http://www.cinsscore.com/#list
	  
      
      .. note:: This is a third party list not operated by Atomicorp.
	  
	  
   **FW_CIARMY_LOG**
   
      * Enable/Disable the logging of C.I. Army Blacklist IPs that are blocked. Default: yes
	  

      .. note:: This requires that FW_CIARMY be enabled to actually block any IPs on the Spamhaus Lasso blacklist.

   **Denylist: Dshield**

      * Enable/Disable the Dshield top attackers list. Default:[no]

   **Log: Dshield Denylist**

      * Enable/Disable the logging of Dshield top attacker IPs that are blocked. Default:[yes]  

      .. _DShield Denylist: https://www.dshield.org/	  
      
      .. note:: This is a third party list not operated by Atomicorp.

   **Log: Emerging Threats Denylist**
   
      * Enable/Disable logging of Emerging Threats RBN IPs that are blocked. Default:[yes]
	  
      .. _Emerging Threats: https://www.proofpoint.com/us
	  
	  
      .. note:: This is a third party list not operated by Atomicorp. 
	  
	  
   **Denylist: AutoShun Denylist**
   
      * Enable/Disable the autoshun.org denylist. AutoShun is a community sourced denylist from the Snort IDS. Default:[no]
	  
	  
   **Log: OpenBL Denylist**
   
      * Enable/Disable logging of IP's blocked by the AutoShun denylist. Default:[yes]
	  
	  
   **Denylist: Open Proxies**
   
      * Enable/Disable the Open Proxy denylist. Default:[no]
	  
	  
   **Log: Open Proxy Denylist**
   
      * Enable/Disable logging of IP's blocked by the Open Proxy denylist. Default:[yes]
	  
	  
   **Denylist: TOR exit nodes**
   
      * Enable/Disable the TOR exit node list. Default:[no]
	  

Portscan Detection
===================

   **Portscan detection**
   
      * Enable/Disable detection of portscans. Default:[yes]

  
   **Low Level Portscan detection**
   
      * Enable/Disable detection of low level portscans. Default: no 
	  
      .. note:: This uses a different method from the other portscan detectors offered in AEO. You can use them all together, or separately. This method will detect the portscan after it has been carried out, but this information can be useful to block the remote host's future connections. This method will match on the probable last packet the remote side sent to the system.
	  
	  
   **SYN Portscan detection**
   
      * Enable/Disable detection of syn scans. Default: no
	  
      .. note:: Some clients with buggy IP stacks (e.g. Windows XP) may generate traffic that's is identical to a SYN scan and therefore cause false alarms with this type of scan detection, use with caution.

   **STEALTH Portscan detection**

      * Enable/Disable detection of stealthy port scans. Default:[no]

      .. note:: Stealth port scanning is a technique used by attackers to scan for open ports without being detected. It involves sending packets to the target system that mimic normal network traffic, making it difficult for security systems to detect the scan.

   **CONNECT Portscan detection**

      * Enable/Disable detection of connect() port scans. This will detect, and block IPs that have made a full connect() to the system, but then tore down the connection after completion of the 3-way handshake. Most network applications already log these types of connections, so this type of port scan detection is generally not necessary. Default: no
	  
      .. note:: Some network testing tools use connect() scans (connecting to the port, and then tearing down the connection without sending any data) to test if services are up. Enabling this may cause those tools to fail or to be blocked.
	  
	  
   **Grab Portscan detection**
   
      * Enable/Disable detection of grab scans. This detects when a client connects to port, gets a response and drops the connect. For example, banner grabbing scans. Default: no
			
	
   **Advanced Portscan detection**
   
      * Enable/Disable the advanced port scan detector. Default:[yes]
	  

   **Portscan detection weight threshold**
   
      * Advanced Portscan detection weight threshold. Default: 21
	  
      .. note:: This is an advanced setting, do not change this setting unless you know what you are doing. 
	  

   **Portscan delay threshold**
   
      * Portscan detection delay threshold. Default: 300
	  
      .. note:: This is an advanced setting, do not change this setting unless you know what you are doing. 
	  
	  
   **Privileged Port Weight (Low)**
   
      * Privileged ports weight (1-1023). Default: 3
	  
      .. note:: This is an advanced setting, do not change this setting unless you know what you are doing. 
	  
	  
   **Privileged Port Weight (High)**
   
      * High ports weight (1024-65535). Default: 1
	  
	  .. note:: This is an advanced setting, do not change this setting unless you know what you are doing. 
	  
Logging
===========	  
   **Log: Active Response drops**
   
      * Enable/Disable the logging of IPs that are blocked by the AEO active response system. Default: yes
	  
	**Redirect: Active Response to Recaptcha**

      * Redirect denied Active Response drops to recaptcha daemon for last auth proof. Default: off

   **Active Response Recaptcha unshun limit**

      * Maximum attempts in a 24 hour period for recaptcha AR unshun. Default:5

   **Geoblocking: block traffic to geo destination**

      * Enable/Disable the Geo Destination blocking. Enabling this setting will add an additional policy, that will block all traffic to Geo-Blocked countries. Note that enabling this could affect updater components. Default:[no]

   **Log: Geo-Denylist drops**

      * Enable/Disable the logging of GeoBlock IPs that are blocked. Default:[yes]

ICMP Settings
=============          
   
   **Accept: ICMP redirects**
   
      * This option controls how the system will respond to redirects. The default setting of "no" is recommended and is also the default setting in Linux. You should not enable this setting unless you know what you are doing. Enabling this can make it possible for an attacker to bypass your firewall rules.
	  
	  
   **Ignore: All ICMP traffic**

      * Enable/Disable ignore all ICMP traffic. Default:[no]	  

   **Ignore: All ICMP broadcasts**

      * Enable/Disable ignore all ICMP broadcasts. Default:[no]

   **Ignore: Bogus ICMP messages**

      * Enable/Disable logging for bogus ICMP messages. Default:[no]

TCP Settings
=============          
   **Drop: IP Blackhole**
   
      * When enabled, either TCP resets nor ICMP destination-unreachable packets will be sent in response to packets sent to ports for which no associated listening process exists. Default: yes

   **Drop: bad packets**
   
      * Enable/Disable blocking of bad packets. Default:[no]

   **Drop: INVALID packets**
   
      * Enable/Disable blocking of packets that the state engine can not identify with a stateful session. Default:[yes]

   **Log: INVALID packets**
   
      * Enable/Disable the logging of invalid packets that are blocked. Default:[no]	  
	  
   **Drop: Small packets**
   
      * Enable/Disable blocking of packets that are smaller than the protocol allows. Default:[no]

   **Drop: Fragment packets**
   
      * Enable/Disable blocking of packets that are fragmented. When firewall rules are set as stateful, fragmented packets should not appear as the state engine will reassemble them. However, if you have configured non stateful rules, you will not want to block fragments. Default:[no]

   **Drop: Broadcast packets**
   
      * Enable/Disable dropping all broadcast packets, and not logging them. Default:[no]

   **Accept: Source routing**
   
      * Enable/Disable accept source routing. Default:[no]

   **IPv4 Forwarding**

      * Enable/Disable IPv4 traffic forwarding. Default:[no]   

   **IPv6 Forwarding**

      * Enable/Disable IPv6 traffic forwarding. Default:[no]

   **Proxy ARP**

      * Enable/Disable proxy arp. Default:[no]

   **Reverse Path Filter**

      * Enable/Disable rp_filter. Default:[no]

   **SYN cookies**

      * Enable/Disable SYN cookies. Default:[yes]

   **Explicit Congestion Notification**

      * Enable/Disable Explicit Congestion Notification (ECN). Valid settings are no (always disabled), yes (always enabled), and requested (when remote system requests an ECN connection). Default:[no]

   **TCP Timestamps**

      * Enable/Disable TCP timestamps. Default:[yes]

   **TCP Window Scaling**

      * Enable/Disable TCP Window Scaling. Not all network equipment implements this correctly, if unsure select yes. Default:[yes]

-----------

Advanced Firewall Rule Manager
==============================

The Advanced Rule Manager is designed to let you directly control the net filter engine in Linux through an advanced UI system.

To access the firewall rule manager:

   Step 1: Log into the AEO Web Console. 
   
   Step 2: CLick on Hub Configuration 
   
   Step 3: Click on Firewall
   
   This will open the firewall rules window. 
   
   
**Rule Types**

   * Linux supports three types of firewall rules:
   
      * NAT: Network Address Translation Rules: These rules are used to change the source and/or destination of packets.
	  
      * Mangle: This types of rules are used to modify or "mangle" packets before they are processed
	  
      * Filter: These types of rules are used to filter or "block" packets. These are the most common rules and are probably the type of rule you want if you want to allow or block traffic to specific port.

         **Filter Subtypes:**
		 
            * Input: These are rules for traffic going to the server itself. These are the most common subtype, and are what you want if you are looking to allow traffic to a port, or to block traffic to a port.

            * Output: These are rules for traffic coming from the server itself. If you have created input rules that are stateful (checking the "stateful" checkbox), then you do not need to create OUTPUT rules for that traffic. The state engine will automatically handle outbound traffic from the server, and will automatically allow this traffic when needed. These are also different from FORWARD rules. If you are forwarding traffic through your server to a different server, you do not need to create OUTPUT rules for that traffic. OUTPUT rules are only for traffic coming from the server itself. For example, if the server wants to initiate a connection to a mail server on a different server. That would require an OUTPUT rules. If the server was responding to traffic initiated from a different server, and there were stateful INPUT rules to allow that different server to talk to your server on that port, you would not need OUTPUT rules for that traffic.
			
            * Forward: This subtype is for all all other traffic that is not INPUT or OUTPUT. Specifically, this would be traffic that is passing through the server if the server were acting as a classic firewall for another system. FORWARD rules have nothing to do with the server itself.


**Jump Targets**

   * In Linux these tell the rule to jump to an action. This is a way of telling Linux what to do, such as to allow, deny or do something else if the rule is triggered.

      * ACCEPT: Accept the traffic. This will allow the traffic.

      * DROP: Silently drop the packet. The client will get no response from the server.

      * REJECT: Reject the packet. The client will get a reject at the TCP or UDP layer from the server.


----------------

Using the Firewall Manager
==========================

**Do NOT modify ANY AEO chains:**

   * Do not modify any chains with "AEO" in the name. For example, do not modify the "AEO-Firewall-INPUT" chain. This, and all other AEO-* chains are dynamically modified by AEO on the fly, and changes to these chains may have unpredictable effects and will not be saved by AEO. Your changes will likely be lost, at best, and at worst may cause your system to be unreachable.
   
   * If you want to make changes to your firewall, you may modify other chains, or add your own in whatever order you wish.


**How to Add a Firewall Rule:**

   Step 1: Select the type of rule you want to add from the list above

   Step 2: Select the subtype of the rule you want to add from the list above

   Step 3: From the firewall rule manager, select the subtype. For example, to add a filter -> INPUT rule select "INPUT" under the filter tree branch.this will pull up any INPUT rules you have on the system. To add a new rule select "Add Rule".

   Step 4: Select the subtype by selecting it under "Chain". For example, if you want to add an INPUT rule select Table "filter", this should autoselect "INPUT". If it does not just select INPUT as the "Chain".

   Step 5: Select the command, Append or Insert. In the Linux firewall, Append means to add the rule after all other rules. Linux firewalling is linear, that means it processes the rules in order "first come first served". Appending places it last. Insert places the rule first. With insert you can also set the rule number in case you prefer that the rule run second, third, etc. Be very careful with Insert as you can end up setting you rules up in the opposite order of what you want (for example, putting your drop rules before your allow rules).

   Step 6: Select the protocol by clicking on the "n/a" drop down. The drop down before this allows you to add a "negative", for example if you want to add a rule to say "not tcp". If you want this rule to be for TCP, just select tcp in the drop down, and leave the first drop down as "-".

   Step 7: Type in the source IP/Network for this rule. If you want to allow any network, just leave this blank.

   Step 8: Type in the destination for this rule. If you are creating a rule for the server itself, for example to allow connections to a specific port, just leave this blank.

   Step 9: Type in the source port. If you are a creating a rule to allow connections to the server from another server, leave this blank.

   Step 10: Type in the Destination port. For example, if you want to allow connections to port 22, type in 22.

   Step 11: Set the interface. If you want to set this rule for all interfaces, leave the default of "n/a".

   Step 12: Set the "Jump Target". In the link this is sort of like the "action". You will see a number of options described above, such as ACCEPT, REJECT. Please see above for more information about these. In general, if you want to allow a connection, select "ACCEPT".

   Step 13: Select Add Rule.

   Your new rule is now implemented.  

	
------------------

Per Port ACLs
=============

These allow you to configure specific IP addresses and networks to be allowed access to specific ports, in a simple manner. For example you could create an access list for SSH that would only allow 3 IPs to connect. Or an access list for SMTP that only allows certain networks to connect, or any combination of these.

Access Control Lists (ACLs) are stored in he following directory: 

   .. code-block:: console

      /etc/AEO/firewall/


**To Create a New Access Control System for a Port:**

   Step 1: Create a file in **/etc/awp/firewall** directory using the format in step 2 below.

   Step 2: Naming convention for a file is: INPUT-<name>-<protocol>-<port>-any-acl. For example:

      .. code-block:: console

         INPUT-sshd-tcp-22-any-acl

      
      * INPUT: this defines the chain it goes into, INPUT is the only supported chain right now. In the future we will add support for other chains.

      * name: an arbitrary alpha numeric name (a-z 0-9), this must be unique as this will be used to name the chain and you can't have duplicate chain names. Example: smtp1

      * protocol: any supported iptables protocol on the system that takes a port as an argument. Examples: tcp, udp

      * port: 1-65535

      * any: RESERVED (do **NOT** change this)

   Step 3: List IP's, one per line in the file you created in Step 2. 

   Step 4: If you have defined it, remove the port number for the service from FW_INBOUND_SERVICES. If you allow a port in FW_INBOUND_SERVICES, that will override the ACL and make the allow global (anyone can connect to the port). If you want to use an ACL for a port, do NOT list the port in FW_INBOUND_TCP_SERVICES or FW_INBOUND_UDP_SERVICES.

   Step 5: Reload the firewall policy by running the following command:

      .. code-block:: console

         /etc/init.d/AEO-firewall restart

		 
		 
-----------------

Examples of Using Fast/Easy Mode to Add a Firewall Rule
=======================================================

**How to Block All Incoming TCP Connections Except to Certain Ports:**

   Step 1: Log into the AEO GUI

   Step 2: Click the Configuration Tab

   Step 3: Select the AEO Configuration menu option.

   Step 4: Scroll down to Firewall configuration

   Step 5: Enter the list of TCP ports you want to allow into the FW_INBOUND_TCP_SERVICES list. For example:
   
       .. code-block:: console
	   
          21,22,25,80,110,143,443,993,995,8443,30000
		  
   Step 6: Click Update
   
   
Your new rule is now implemented. 


**How to Allow Connections to a Port**

   * To add TCP ports to the allowed inbound list, please see the **FW_INBOUND_TCP_SERVICES** option. 
   
   * To add UDP ports to the allowed inbound list, please see the **FW_INBOUND_UDP_SERVICES** option. 
   

**How to Allow Outbound Connections to a Port**

   * To add TCP ports to the allowed outbound list, please see the **FW_OUTPUT_TCP_SERVICES** option.

   * To add UDP ports to the allowed outbound list, please see the **FW_OUTPUT_UDP_SERVICES** option.
   
----------------------

Examples of Using the Advanced Firewall Manager to Add a Firewall Rule
======================================================================

**How to Block All Incoming Connections to a TCP Port:**

   Step 1: Log into the AEO GUI

   Step 2: Click the Firewall Tab

   Step 3: Select the Firewall Rules menu option.

   Step 4: Click the "Add Rule" button.

   Step 5: For table, select filter.

   Step 6: For Chain select "INPUT"

   Step 7: For command select "Insert"

   Step 6: For protocol select tcp in the drop down, and leave the first drop down as "-".

   Step 7: Type in the source IP/Network for this rule. If you want to block all sources, just leave this blank.

   Step 8: In the Destination port window type in the port number you wish to block. For example, if you want to block connections to port 22, type in 22. Leave the first drop down as "-".

   Step 9: Set the "Jump Target" to "DROP" or "REJECT". DROP will silently block the attempt so the client is not sure why it was blocked, REJECT will send ICMP destination denied packets to the client applications network stack telling the stack that the connection was dropped at the network level.

   Step 10: Then press the Add Rule button.

Your new rule is now implemented.
      
	
**How to Restrict All Incoming Connections to a TCP Port Except from a Specific IP or Network**

This procedure will allow you to create a ruleset to restrict access to a port, except from specific IPs/networks.

   Step 1: Log into the AEO GUI

   Step 2: Click the Firewall Tab

   Step 3: Select the Firewall Rules menu option.

   Step 4: Click the "Add Rule" button.

   Step 5: For table, select filter.

   Step 6: For Chain select "INPUT"

   Step 7: For command select "Insert"

   Step 6: For protocol select tcp in the drop down, and leave the first drop down as "-".

   Step 7: In the "Source:" field, type in the source IP/Network that you wish to allow access to this port.

   Step 8: In the Destination port window type in the port number you wish to restrict access. For example, if you want to restrict connections to port 22, type in 22. Leave the first drop down as "-".

   Step 9: Set the "Jump Target" to "ACCEPT", this will allow this IP and/or network to connect to this point.

   Step 10: Then press the Add Rule button.

   Step 11: Continue adding ACCEPT rules for all the IPs and/or networks you want to allow by repeating Steps 1-10.

   Step 12: If you are done adding IPs and/or networks to allow, now you will add in your rule to block all other IPs/Networks. Click the "Add Rule" button.

   Step 13: For table, select filter.

   Step 14: For Chain select "INPUT"

   Step 15: For command select "Append"

   Step 16: For protocol select tcp in the drop down, and leave the first drop down as "-".

   Step 17: Type in the source IP/Network for this rule. If you want to block all sources, just leave this blank.

   Step 18: In the Destination port window type in the port number you wish to block. For example, if you want to block connections to port 22, type in 22. Leave the first drop down as "-".

   Step 19: Set the "Jump Target" to "DROP" or "REJECT". DROP will silently block the attempt so the client is not sure why it was blocked, REJECT will send ICMP destination denied packets to the client applications network stack telling the stack that the connection was dropped at the network level.

   Step 20: Then press the Add Rule button.

Your new ruleset to restrict access to a port, except from certain IPs/Networks is now implemented.

Your new rule is now implemented.	


**How to Allow Access to all Ports from a Single IP or Network**

This procedure will allow you to create a ruleset to restrict access to a port, except from specific IPs/networks.

   Step 1: Log into the AEO GUI

   Step 2: Click the Firewall Tab

   Step 3: Select the Firewall Rules menu option.

   Step 4: Click the "Add Rule" button.

   Step 5: For table, select filter.

   Step 6: For Chain select "INPUT"

   Step 7: For command select "Insert"

   Step 6: For protocol select all in the drop down, and leave the first drop down as "-".

   Step 7: In the "Source:" field, type in the source IP/Network that you wish to allow access to all ports on the server.

   Step 8: Set the "Jump Target" to "ACCEPT", this will allow this IP and/or network to connect to this point.

   Step 9: Then press the Add Rule button.

   Step 10: Continue adding ACCEPT rules for all the IPs and/or networks you want to allow by repeating Steps 1-9.

Your new rule is now implemented.


**How to Forward a Port from the Server to another System**

This procedure will allow you to create a ruleset to forward a port to a remote system. Forwarding a port on Linux requeires that you creare two types of rules, PREROUTING and FORWARD rules.

**First create the PREROUTING rules.**

   **PREROUTING RULES:**
   
      Step 1: Log into the AEO GUI

      Step 2: Click the Firewall Tab

      Step 3: Select the Firewall Rules menu option.

      On the left hand side you will see a window that is titled "Tables & Chains"

      Step 4: Click on "PREROUTING" under "net"

      Step 5: A new button will appear titled "Add". Click this button.

      Step 6: (Optional) add in a comment for your custom rule for your records to help you identify this rule

      Step 7: For action select "Insert"

      Step 6: For protocol select the appropriate protocol for your service (e.g. TCP for HTTP) leave the first drop down blank.

      Step 7: Select the local port you want to form (e.g. 21 for FTP)

      Step 8: (Optional) Select the local IP you want to forward. If you do not select an IP, any connection to your local port on any IP will be forwarded to the remote system/port.

      Step 8: In the "Jump target" dropdown select "DNAT". A new window will appear, "To destination".

      Step 9: Set the destination IP.

      Step 10: Then press the Add Rule button.

	  
**Move onto FORWARD RULES below.**


   **FORWARD RULES:**
   
      Step 1: Log into the AEO GUI

      Step 2: Click the Firewall Tab

      Step 3: Select the Firewall Rules menu option.

      On the left hand side you will see a window that is titled "Tables & Chains"

      Step 4: Click on "FORWARD" under "filter"

      Step 5: A new button will appear titled "Add". Click this button.

      Step 6: (Optional) add in a comment for your custom rule for your records to help you identify this rule

      Step 7: For action select "Insert"

      Step 6: For protocol select the appropriate protocol for your service (e.g. TCP for HTTP) leave the first drop down blank.

      Step 7: Select the local port you want to form (e.g. 21 for FTP)

      Step 8: (Optional) Select the local IP you want to forward. If you do not select an IP, this any connection to your local port on any IP will be forwarded to the remote system/port.

      Step 9: Set the "Jump Target" to "ACCEPT".

      Step 10: Then press the Add Rule button.

      Step 11: Add the port you want to forward to your allowed ports list via this option. For example if you are forwarding port 21, add port 21 to this option:

      .. note:: Use this setting for TCP ports: **FW_INBOUND_TCP_SERVICES**

      .. note:: Use this setting for UDP ports: **FW_INBOUND_UDP_SERVICES**

Your new rule is now implemented.


**How to Allow Connections to a Port**

   Step 1: Log into the AEO GUI

   Step 2: Click the Firewall Tab

   Step 3: Select the Firewall Rules menu option.
 
   Step 4: Click the "Add Rule" button.

   Step 5: For table, select filter.

   Step 6: For Chain select "INPUT"

   Step 7: For command select "Insert"

   Step 6: Select the protocol. For example, for TCP select tcp in the drop down, and leave the first drop down as "-".

   Step 7: Type in the source IP/Network for this rule. If you want to allow any network, just leave this blank.

   Step 8: In the Destination port window type in the port number you wish to allow. For example, if you want to allow connections to port 22, type in 22. Leave the first drop down as "-".

   Step 9: Set the "Jump Target" to "ACCEPT".
   
   
   
**How to Allow Outbound Connections to a Port**

   .. note:: This is only necessary if you have setup either AEO or your firewall rules to only allow connections outbound to certain ports. By default AEO does not block any outbound ports.

   Step 1: Log into the AEO GUI

   Step 2: Click the Firewall Tab

   Step 3: Select the Firewall Rules menu option.

   Step 4: Click the "Add Rule" button.

   Step 5: For table, select filter.

   Step 6: For Chain select "OUTPUT"

   Step 7: For command select "Insert"

   Step 6: For protocol select tcp in the drop down, and leave the first drop down as "-".

   Step 7: Type in the destination IP/Network for this rule. If you want to allow outbound connections on the port to any network or destination, just leave this blank.

   Step 8: In the Destination port window type in the port number you wish to allow. For example, if you want to allow connections outbound port 25, type in 25. Leave the first drop down as "-".

   Step 9: Set the "Jump Target" to "ACCEPT".

   Step 10: Then press the Add Rule button.

Your new rule is now implemented.


------------------

Using the Advanced Firewall Manager and Fast/Easy Mode together
===============================================================

**Restrict access to a specific port, except from specific IPs/networks**

This procedure will allow you to create a ruleset to restrict access to a port, except from specific IPs/networks when you have blocked the port via Fast/Easy mode.

   Step 1: Log into the AEO GUI

   Step 2: Click the Firewall Tab

   Step 3: Select the Firewall Rules menu option.

   Step 4: Click the "Add Rule" button.

   Step 5: For table, select filter.

   Step 6: For Chain select "INPUT"

   Step 7: For command select "Insert"

   Step 6: For protocol select tcp in the drop down, and leave the first drop down as "-".

   Step 7: In the "Source:" field, type in the source IP/Network that you wish to allow access to this port.

   Step 8: In the Destination port window type in the port number you wish to restrict access. For example, if you want to restrict connections to port 22, type in 22. Leave the first drop down as "-".

   Step 9: Set the "Jump Target" to "ACCEPT", this will allow this IP and/or network to connect to this point.

   Step 10: Then press the Add Rule button.

   Step 11: Continue adding ACCEPT rules for all the IPs and/or networks you want to allow by repeating Steps 1-10.

   Step 12: If you are done adding IPs and/or networks to allow, and you used Fast/Easy mode to block the port, then your new ruleset to restrict access to a port, except from certain IPs/Networks is now implemented.

Your new rule is now implemented.


--------------

Frequently Asked Questions
==========================

**Can I use a range of ports?**

   * Yes, ranges are delimited with the colon, ":" symbol. The format for ranges is x:y, where x is the beginning of the range and y is the end. For example:
   
      .. code-block:: console
	  
         1024:65535 
		 
      The above would create a range of 1024 to 65535
	  
	  
**Will changes survive a reboot?**

   * Yes, if you configure your firewall through the AEO web console your changes are saved by AEO.
   

**Will my AEO firewall configuration survive an upgrade of AEO?**

   * Check the release notes for the upgrade. If the notes do not mention an issue with retaining your firewall configuration between upgrades, then the configuration will survive an upgrade.


**If I create an INPUT rule do I need to create an OUTPUT one?**

   * No, as long as you make the INPUT rule stateful (which is the default). You'll see a checkbox that says stateful, leave it checked and AEO will automatically manage whatever outbound packets that need to be let out. OUTPUT rules are not necessary with a stateful INPUT rule.

   * For example, if you allow traffic in on port 22 via an INPUT rule, you do not need to create an OUTPUT rule for port 22 if you have checked the stateful box (which is checked by default) when creating your rule.


**How can the firewall be reset to its default?**

   * You can reset your firewall rules to the defaults by running these commands as the root user (not via sudo):  
   
      .. code-block:: console
	  
         cp /etc/awp/firewall/running.fw /root
         rm /etc/awp/firewall/running.fw
         service awp-firewall restart
		 
   .. note:: You can restore your custom firewall rules, only if you used the commands above to clear your firewall rules by running these commands as the root user:
   
      .. code-block:: console
	  
         cp /root/running.fw /etc/awp/firewall/running.fw
         service awp-firewall restart
		 
