SARK V4.0.0 Firewall

From sailpbx
Jump to: navigation, search

back to SARK v4.0.0 contents

Firewall

For Debian based SARK Appliances (S200 & S500) and vanilla Debian SARK builds, SARK has the Shorewall Firewall on-board and provides a simple GUI to control it



V4 firewall 1.png



By default the firewall is set as follows:

  • allow HTTP port 80 from anywhere
  • allow SSH port 22 from the local lan
  • allow TFTP port 69 from the local lan
  • allow NTP port 123 from the local lan
  • allow IAX2 port 4569 from the local lan
  • allow SIP port 5060 from the local lan
  • allow RTP ports 10000-20000 from the local lan

Everything else is denied.

Setting and changing rules

SARK supports a simple subset of the shorewall ruleset, however it is enough to be able to who will be allowed into the system. You only need specify 3 variables to create a rule; Source, Protocol and Destination Port.

The Source column

The SOURCE column decides who is allowed in (i.e. from where). There are 2 keywords; net and $LAN and you specify addresses and ranges in CIDR format. The SOURCE rule always begins with net. If you put nothing else then you will open a port to the entire internet. Port 80 is initially defined in that way.

You can be more sepcific by specifying net followed by a colon (:) then by an address range (in CIDR notation). You can also use the special variable $LAN to restrict access from the local lan ONLY. Lets say we want to allow access from IP address 81.43.44.9; we could put

net:81.43.44.9 

Or, to allow a subnet-range we might put something like

net:81.43.44.0/29

To restrict access to only from our local lan we can put

net:$LAN

The Protocol column

Dead easy; choose TCP or UDP

The destination Port column

Port(s) you want to open for this rule. You can specify it as follows

  • A single port e.g. 22
  • A port range e.g. 10000:20000
  • multiple entries e.g. 5060,10000:20000

Restarting the firewall

Once you've made your changes you must restart the firewall for them to take effect. Click the blue restart button to the top right of the screen (it has a circular legend). After a moment or two, the screen will refresh with a confirmation message (which looks a bit odd - it ends with a diamond symbol ( <> ).



V4 firewall 2.png



Adding a new rule

Click the new object button to the right of the panel and SARK will create a new dummy row for you to tailor to suit your needs. The dummy row will be set to net:$LAN, tcp and 65535.



V4 firewall 3.png



Use the drop-down menus to set each column to your liking and then restart the firewall to enliven your rule.