Skip to content
CA API Gateway - 9.3
Documentation powered by DocOps

Firewall Rule Properties

Last update September 4, 2018

Firewall Rule Properties allows you to configure specific properties in handling inbound and outbound traffic. Ports can be configured as a firewall entry to allow inbound traffic as well as redirecting traffic from one port to another.

For more information about firewall rules, see Manage Firewall Rules.

To access the properties for a firewall rule:

  1. Run the Manage Listen Ports task.
  2. Click [Manage Firewall Rules].
  3. Click [Create]. 
    The Simple Firewall Rule Properties appear. Configure the properties as described below.
  4. Click [OK] when done.

Contents:

Configuring the Simple Firewall Rule Properties

You can create a firewall rule by using the Simple Firewall Rule Properties dialog.

Setting

Description

Rule Name

Enter a name for the firewall rule. This "friendly" description is displayed on the Manage Listen Ports dialog.

Rule Action

Select the action for the rule from the drop-down menu:

  • Accept: Choose this option to allow the traffic through.
  • Redirect: Choose this option to redirect the traffic from a destination port to a different port.

Interface

From the drop-down list, select an interface or IP address to monitor. The list displays all available IP addresses on the Gateway and interfaces configured using the [Manage] button.

To listen on all available addresses, select All.

Protocol

Select the protocol from the drop-down list.

From Port

The port number associated with the rule. The port number must be between 1 and 65535 (inclusive).

To Port

This field is only enabled when "Redirect" is selected in the "Rule Action" drop-down menu. The port number must be between 1 and 65535 (inclusive).

Configuring the Advanced Firewall Rule Properties

You can add more specific definitions to the firewall rules through the Advanced Firewall Rule Properties.

WARNING: Misconfigurations in the Advanced Firewall Rule Properties may prevent access to the Gateway.

 To access the advanced properties for a firewall rule:

  1. Run the Manage Listen Ports task.
  2. Click [Manage Firewall Rules].
  3. Click [Advanced Create]. Confirm that you want to continue by selecting the To enable [OK] ... check box", then click [OK]. 
    The Advanced Firewall Rule Properties appear.
  4. Configure the properties as required.
  5. Click [OK] when done

Setting

Description

Rule Name

Enter the name of the firewall rule. This "friendly" description is displayed in Manage Listen Ports.

Enable

Select this check box to activate the firewall rule. Clear the check box to leave the rule inactive.

Interface

From the drop-down list, select the protocol to be used. See Managing Interfaces for more details.

Manage

Click [Manage] to add or remove interfaces from the list. For more information, see Manage Interfaces.

Type

From the drop-down list, select the type to be used.

  • Filter: Choose this option to filter through the traffic.
  • NAT: Choose this option to apply the Network Address Translation to the traffic.

Packet State

From the drop-down list, select the packet state to which the rule will be applied to. The values listed depend on the value selected for Type.

INPUT: This option appears when Filter is selected for "Type". Choose this option to apply on all traffic.

PREROUTING: This option appears when NAT is selected for "Type". Choose this option to apply the Network Address Translation to the traffic when it arrives.

POSTROUTING: This option appears when NAT is selected for "Type". Choose this option to apply the Network Address Translation to the traffic when it leaves.

General Options

 Protocol

Select the protocol from the drop-down list, which will enable specific options for incoming traffic configurations: TCP, UDP, or ICMP.

Note: The ICMP protocol is only available when Filter is selected for "Type".

Source Address

Enter an IPv4 or IPv6 address as the source port. This option is used to check the source IP address in the incoming traffic.

  • When an IPv4 address is entered, an entry will be written to the firewall_rules file.
  • When an IPv6 address is entered, an entry will be written to the firewall6_rules file.

Tip: If the address is any of the following:

  • A single IP address
  • An IP address with a netmask in a CIDR bit form (such as 192.168.0.0/24)
  • An address with a regular netmask, such as 192.168.0.0/255.255.255.0

then the address input can be inverted by using the "!" (exclamation) mark and a space before the address. For example, "! 192.168.1.1"

Destination Address

Enter an IPv4 or IPv6 address as the destination port. This option is used to check the destination IP address in the outgoing traffic.

  • When an IPv4 address is entered, an entry will be written to the firewall_rules file.
  • When an IPv6 address is entered, an entry will be written to the firewall6_rules file.

Tip: The same tip about inverted addresses under "Source Address" apply here as well.

Protocol Options

TCP

Below are the available options when the protocol is set to "TCP":

  • Source Port: Enter the source port number from the incoming traffic. The port number must be between 1 and 65535 (inclusive).
  • Destination Port: Enter the destination port number from the outgoing traffic. The port number must be between 1 and 65535 (inclusive).
  • TCP Flags: Enter the TCP flags in the incoming traffic. The following flags are available: FIN, SYN, RST, PSH, ACK, URG, ALL, NONE.
  • Two flags are required for this field: one to compare, and one to enable once a match is found. Both of these arguments can accept a series of values. For example, "FIN, SYN, ACK, ALL".
  • TCP Options: Enter the TCP option numeric value from the incoming traffic. this field accepts values between 1 and 255 (inclusive).

UDP

Below are the available options when the protocol is set to "UDP":

  • Source Port: Enter the source port number from the incoming traffic. The port number must be between 1 and 65535 (inclusive).
  • Destination Port: Enter the destination port number from the outgoing traffic. The port number must be between 1 and 65535 (inclusive).

ICMP

Below is the available options when the protocol is set to "ICMP":

  • ICMP Type: Enter the ICMP type or type name to match with the incoming traffic.

Rule Action

Select the rule action from the drop-down menu.

  • Accept: Choose this option to allow the traffic through.
  • Drop: Choose this option to deny the traffic.
  • Redirect: Choose this option to redirect the traffic from a destination port to a different port. This option is only available when NAT is selected for "Type", with "Prerouting" as the "Packet State".
  • DNAT: This option appears when NAT is selected for "Type", with "Prerouting" as the "Packet State". Choose this option to provide Destination Network Address Translation to the incoming traffic. When this option is selected, the "To Destination" field will appear.
  • To Destination:  Enter the destination address to be set in the IP header of the packet received. This field accepts a single IP address or an IP address range. For example, "192.168.1.1:80" or "192.168.1.1.80-100".

Note: A port or port range can only be specified as the start IP address or the end  IP address, but not both.

Was this helpful?

Please log in to post comments.