SARK V4.0.0 Firewall
Contents
Firewall
For Debian based SARK Appliances (S200 & S500) and vanilla Debian SARK builds, SARK has the Shorewall Firewall on-board and provides a simple GUI to control it
By default the firewall is set as follows:
- allow HTTP port 80 from anywhere
- allow SSH port 22 from the local lan
- allow TFTP port 69 from the local lan
- allow NTP port 123 from the local lan
- allow IAX2 port 4569 from the local lan
- allow SIP port 5060 from the local lan
- allow RTP ports 10000-20000 from the local lan
Everything else is denied.
Setting and changing rules
SARK supports a simple subset of the shorewall ruleset, however it is enough to be able to who will be allowed into the system. You only need specify 3 variables to create a rule; Source, Protocol and Destination Port.
The Source column
The SOURCE column decides who is allowed in (i.e. from where). There are 2 keywords; net and $LAN and you specify addresses and ranges in CIDR format. The SOURCE rule always begins with net. If you put nothing else then you will open a port to the entire internet. Port 80 is initially defined in that way.
You can be more sepcific by specifying net followed by a colon (:) then by an address range (in CIDR notation). You can also use the special variable $LAN to restrict access from the local lan ONLY. Lets say we want to allow access from IP address 81.43.44.9; we could put
net:81.43.44.9
Or, to allow a subnet-range we might put something like
net:81.43.44.0/29
To restrict access to only from our local lan we can put
net:$LAN
The Protocol column
Dead easy; choose TCP or UDP
The destination Port column
Port(s) you want to open for this rule. You can specify it as follows
- A single port e.g. 22
- A port range e.g. 10000:20000
- multiple entries e.g. 5060,10000:20000
Restarting the firewall
Once you've made your changes you must restart the firewall for them to take effect. Click the blue restart button to the top right of the screen (it has a circular legend). After a moment or two, the screen will refresh with a confirmation message (which looks a bit odd - it ends with a diamond symbol ( <> ).
Adding a new rule
Click the new object button to the right of the panel and SARK will create a new dummy row for you to tailor to suit your needs. The dummy row will be set to net:$LAN, tcp and 65535.
Use the drop-down menus to set each column to your liking and then restart the firewall to enliven your rule.