Custom Search
Using the BrazilFWThe Simplified Firewall Configuration can filter by source IP and/or MAC, Level7, and protocol/destination port combination by using whitelists or blacklists. It only affects internal users access to the Internet. By default, Brazil Firewall is in ALLOW mode for all these three methods. Access the configuration menu via Webadmin OR… Webadmin from the Internet. (NEW)
Access rules created in the Advanced Firewall Configuration can override these rules and those of port forwarding. There is a bit of duplication in both menus. It is imperative that you understand the theory in the Firewall primer if you are going to troubleshoot firewall rules.
The Simplified Firewall introduces the concept of a white list for the DENY ALL methods and a black list for the ALLOW ALL (default) methods. Which you use will probably depend on how you want to control and also the size of how many to control. Hopefully these guidelines will help you choose.
A black list is very impractical for MAC filtering. How do you create it? List every MAC in the world? So if you want to filter by MACs if would be best to use a white list. It may be the only way if you are selling time but every time you add a NIC into the system you must add it here if you want it to access the Internet.
A white list for IP is a bit easier to do because you control DHCP and can reserve IPs by MAC so you are in charge. It is easier to create 20 or so rules to permit IPs instead of creating 200+ rules deny the IPs we want to block.
Because of the order in which the rules are evaluated, a whitelist IP/MAC can overide a blacklist port. See Rules precedence below.
With this method any combination of black lists work. On the negative side, as mentioned above, it does make MAC filtering complicated. You can block the bad guy's MAC but spoofing or a new NIC gets around that.
Because of the order in which the rules are evaluated, a blacklist IP/MAC can overide a whilelist port. See Rules precedence below.
You may think these lists are long to do because there are a lot of addresses to add. Not so. You can do this by playing with the netmask. Explaining the netmask thing is way beyond the scope of this tutorial but this online IP subnet calculator is just for this purpose. Blocking 2-255 can be done with 7 rules. But 255 is a broadcast address? No problem; broadcasts never go out a router anyway so it acts up to 254 and it makes for less rules. 
Try it with 254 and see.Edit the Configuration File then cut and paste the results of the calculator or paste just the subnets into the form.
Keep it simple (KISS) by using only one range of IP addresses instead of a bunch here and a bunch there. With DHCP this is simple. Use Webadmin and select the DHCP Configuration. You can flip from a non DHCP environment overnight. Take your servers into consideration by reserving their IP address.
New in BrazilFW is a method to control that a certain MAC can only have a certain IP and it only works in DENY mode. This is not how you assign an IP to a MAC address. That is done with the DHCP and DNS Configuration menu from Webadmin.
External Services Filtering seems simple enough. Your are a home owner or shop with a few PCs and may want to deny DNS because you want the Brazil Firewall DNS to be used so you leave the allow all default and fill in the black list to block DNS. This is similar to some commercial routers with integrated DNS servers. It certainly is easier to do than allowing all the protocols available in the white list.
Companies don't think so. They pay people to work and don't want them to do P2P or FTP or whatever. They prefer to lock down everthing by selecting deny all and fill the white list with what they want to go out like 80 and 443. There are some protocols that break when using a white list. FTP is one. Without doubt there are others.
Also new in BrazilFW is Level 7 protocol filtering. It is just a matter of listing the protocol on the form and submitting. The level 7 definitions are included in the system and can be updated. You may not be able to filter all protocols especially P2P because some of these are getting more sophisticated using encryption and defy detection via a fingerprint.
These rules have precedence over any other rule in any other menu for any IP and/or MAC and/or port without exception because they are evaluated just before the packet is written to the wire.
The forms create rules that will be evaluated in this order: black list IP, white list IP, black list MAC, white list MAC, black list port, and white list port. Regardless of the default you select, block has precedance over allow and IP has precedence over MAC. The Level 7 protocol filtering is highest in precedence.
Any time you create or change rules you must reload the firewall to make them active and backup the configuration if you want these changes to stay for the next boot.
When reloading the rules beware of this message. It means some rule(s) did not work.
Try `iptables -h' or 'iptables --help' for more information.
DISCLAIMER: The following instructions come with no warranty. Use at your discretion and risks. I am not responsible for its misuse, damages, or losses that can be caused directly or indirectly. It is assumed that you practice safe computing and take backups before making changes.
Stuff is written here for the uninitiated and no prior knowledge on the subject is presumed.
Use the Forums for support so everyone can share the information.
copyright for the writing. The ideas and code are free. Robert Bonomo