<< Back to man.ChinaUnix.net

External Access Administrative Web Page

This subsection allows you to configure the External Access settings for Endian Firewall machine itself. This is 100% optional, so you may safely ignore this section if you do not wish to make use of this feature.

Figure 6.6. Add a new external access rule

Add a new external access rule

External Access only controls access to the Endian Firewall box. It has no affect on the GREEN, BLUE or ORANGE network access. That is controlled in the Port Forwarding section, see above.

If you wish to maintain your EFW machine remotely, you should specify TCP port 10443, https. If you have enabled ssh access, you can also enable TCP port 22, ssh.

The following describes the configuration fields of Add a new rule:

Protocol

The drop down list allows you to choose which protocol this rule will follow. Possible values are TCP and UDP. Most regular servers use TCP. If the protocol is not specified in the server documentation then it is usually TCP.

Source IP, or network (blank for "ALL")

This is the IP address of an external machine you give permission to access your firewall. You may leave this blank, which allows any IP address to connect. Although dangerous, this is useful if you want to maintain your machine from anywhere in the world. However, if you can limit the IP addresses for remote maintenance, the IP addresses of those machines or networks that are allowed access, should be listed in this box.

Destination Port

This is the external port that they are allowed to access, i.e. 10443.

Destination IP

This dropdown menu allows you to choose which RED IP this rule will affect. Endian Firewall has the capability of handling more than one RED IP. If you only have one RED IP set up then choose Default IP.

Enabled

Tick this box on to enable the current rule. You may temporarily disable a rule by ticking it off.

Once you have entered all the information press Add. This will move the rule to the next section, and list it as an active rule.

Current rules lists the rules that are in effect. To remove one, click the Trash Can icon. To edit one, click the Yellow Pencil icon.

To enable or disable a rule - click on the Enabled icon (the checkbox in the Action column) for the particular entry you want to enable or disable. The icon changes to an empty box when a rule is disabled. Click on the checkbox to enable it again.

Figure 6.7. Displays currently configured rules

Displays currently configured rules

By default the port 113 will be opened. This is a dirty solution to make connections faster. Since much services use an old unsafe protocol (ident) to fulfill standards, which asks for the remote user who has established the connection to the service and most machines do not support this service anymore, connections need a long time to successfully establish, since the ident request needs to timeout because the firewall drops those packets. This rule opens the ident port, so ther kernel can promptly reject the ident packet and there is no need to timeout. Currently this is the only possibility since there is not yet a support to reject packets. Endian Firewall supports only silently dropping them.