Advanced Firewall Configuration for
Brazil Firewall and Coyote Linux

It is imperative that you understand the theory in the Firewall primer if you are going to troubleshoot these rules or use them in conjunction with Port Forwarding and/or Simplified Firewall Configuration. There is a bit of duplication in the Advanced Firewall Configuration and the Simplified Firewall Configuration. Access rules created here can override rules from the Simplified Firewall Configuration and/or Port Forwarding. This is demonstrated in Troubleshooting firewall rules and below.

The examples

Use Webadmin and click on Advanced Firewall Configuration. The first four rules shown here are an example of selectively allowing an IP to only access a few services. In this case, DNS, and e-mail in/out. 192.168.0.50 would not even be able to surf. The fifth rule is an example of blocking a subnet and the last one blocks port 21 (FTP) to/from anywhere. It would override any port forwarding you had for FTP.

The options

Admin is only for controlling access to services that run on Brazil Firewall/Coyote Linux like the Webadmin web server and SSH. Fill in the menu and submit.

Access is the first chain to be evaluated. It has precedence over all the other chains. In the examples above it controlled some outbound traffic. Another use would be to tighten access to certain ports that are being forwarded. If a packet gets denied here it will never make it to port forwarding. Two or more rules can be used to permit forwarding from only a few IP addresses or ranges. Example: In this scenario Port Forwarding has been enabled to allow web access to a server on the LAN. This is in the FORWARD chain and will allow any Internet IP. We want to restrict access to only two IP ranges. The first two rules below do that. They had access anyway but then the third rule blocks it for anyone else regardless of the port forwarding rule. As a matter of fact the packets will never make it to the port forward chain. You would think the port fowarding rules are no longer needed since this controls access. Not so. Creating a port forward rule controls the destination IP on the LAN which occurs in the nat table. This is explained in the Firewall primer. This is nice but now you want to add a third range. Creating a new rule will put it after the deny all rule. This is too late. Here is where Edit Configuration File below comes in handy.

Edit Configuration File is for editing the intermediate file all these firewall configuration menus create. It has it's uses like making massive changes in one block or, as in the case above, for controlling web server access (or whatever). To finish our example, click Edit Configuration File and a form opens. Near the end you will see something like this:

access Y permit tcp 80.1.2.0/24 lan-if 80 all #allow to web
access Y permit tcp 12.13.14.0/24 lan-if 80 all #allow web
access Y deny tcp any lan-if 80 all #block all web access

The format has changed in 2.31.10 and is not compatible with previous versions.

Edit Custom Firewall Rules allows you to enter iptables commands which get executed when you reload the firewall rules. You must know how to write iptable commands. A use for this is shown in my page: Proxy ARP using Brazil Firewall.There are a number of interesting examples in the Custom Firewall Rules but also a problem as I discovered in my proxy ARP project.The rules don't get deleted or flushed but get added into the chain as many times as you reload the firewall.   Fixing Custom Firewall Rules.

Any time you create or change rules you must reload the firewall to make them active and backup the configuration if you want these changes to stay for the next boot.

When reloading the rules beware of this message. It means some rule(s) did not work.

Try `iptables -h' or 'iptables --help' for more information.