Legacy productThe WF1740 described here is an old product and no longer supplied. Please see details of current FireBrick products.

FireBrick 105
Manuals
Home

Filters

Filters are the way that the FireBrick provides firewall protection. The FireBrick tracks every session, and applies filters when that session starts. Once checked against the filters, the session is then allowed even if the filters later change. Filters are considered in order until one matches, and then the filter rule applied to the session.

Name	Allows you to give a name to this rule
Security	Sets the security level of this rule and so defines who can view or edit the users details
Profile	Defines the profile when this rule applies
Source	This allows you to specify one or more source interfaces from which the traffic may come
Target	This allows you to specify one of more target interfaces to which the trafficmay be going
Action	This defines the main action which applies, Allow, Drop, Bounce or Reject as described belwo
Source ports	This allows a range of source ports to be specified. Applicable to TCP and UDP. Normally blank meaning any.
Target ports	This allows a range of target ports to be specifiied. Applicable to TCP and UDP. Typically just one port for the specific protocol, e.g. 80 for WWW
Protocol	This allows the specific protocol to be specified, or Any.
Port group	Instead of using a source port range, target port range and protocol, then a named port group can be selected.
Source IP range	Allows the range of source IPs to be specified, or blank for any.
Source IP group	Instead of an IP range, a named IP group can be selected.
Target IP range	Allows the range of target IPs to be specified, or blank for any.
Target IP group	Instead of an IP range, a named IP group can be selected.
Timeouts	For advanced use
TOS	For advanced use
Blink	Causes the ALERT light to blink every time this filter matches.
Flash	Causes the ALERT light to start blinking if this filter matches. It blinks until reset.
Log	Causes the filter to be logged in the internal log
Syslog	Causes the filter to be logged to an external syslog server
Email	Causes the filter to be logged to email
Quick setup	Shows this filter on the quick setup menu
Suspend	Causes this filter to be ignored, like profile Not 24/7.
SYN	For advanced use
Bypass	For advanced use
End-log	Causes logging of the end of the session regardless of the size of the session

Actions

The actions define what happens to the session. Only Allow casues a session to be created.

Allow	The traffic is allowed and the session created. All corresponding reply traffic and further traffic on the same session is allowed automatically even if the filters later change.
Drop	The packet is dropped / ignored
Reject	The packet is dropped, and an ICMP admin prohibited filter error message returned to the sender
Bounce	The packet is dropped and a valid response is sent to try and annoy the senders system. This is not a counter attack though.

Statistics

If the clock is set then a number of per filter statistics are available. These are a total of traffic both ways through the sessions associated with each filter.

Rate Now	The instantaneous rate indication for the last whole second in KB/s or Kb/s.
Rate 5min	The average rate over the last whole 5 minute period in KB/s or Kb/s
Day This	The total transferred so far today, in MB
Day Last	The total transferred in the last whole day, in MB
Month This	The total transferred so far this month, in MB
Month Last	The total transferred in the last whole month, in MB

Note that the rate set and now can be displayed in Kbits/s or Kbytes/s depending on UI settings.

Technical Reference

The timeouts, if not blank, define the initial and ongoing timeout for the session in seconds. If blank then defaults are used depending on the traffic. For UDP the default is a long initial timeout and short ongoing timeout. For TCP it is a short initial timeout and long ongoing timeout. The initial timeout is the session timeout before any reply has been received. The ongoing timeout is the session timeout after any reply packet has been received.
If not blank, the TOS mask and value can be set to allow the traffci to be checked for TOS value. The TOS value is ANDed with the mask and check against the value. Note that the TOS of the initial packet in a session is checked only.
If SYN is set then a TCP session will only match this filter if it has SYN and not ACK set.
Bypass cuases the filter to be applied as normal, but does not allow a session to be created. This allows per packet rather than sessions based filtering if required. This is much slower but can be used where a machine is, for example, deliberately port scanning through a FireBrick and so many sessions would not timeout for a long time.
End log will cause logging as per the log large sessions settings in the main setup menu, which may not be the same as those of the filter.
If filters are moved, then statistics for on-going sessions may become distorted.
For the Bounce action, the packet is dropped, but for ICMP pings a ping response is generated, and for TCP connections a SYN+ACK response is generated. This simulates a valid connection. The TCP response has a window size of 0 which will lock up some TCP stacks. The responses are also randomly slow (around 300ms) and so lower priority compared with real traffic. The bounce mode is intended to cause annoyance to a would be attacker.
If no filter matches, the default filter is used as specified in the setup menu.
Before the default filter there is an implicit filter allowing LAN to FireBrick port 80 and allowing FireBrick to any traffic. Explicit filtering rules can however block this default behaviour if required.
Filters are applied after routing is done (as filters used the target interface that has been decided by the routing rules).
Filtering is done before address mapping and so any IPs and ports apply before the addresses are changed.
Filtering is done before NAT is applied
Filtering is also done before traffic shaping.