Firewall - Cipafilter Documentation

Manual - Firewall

The Firewall feature provides a stateful firewall which tracks the state of connections routed through the filter, allowing one to easily and precisely restrict traffic.

The default policy of a firewall determines whether it drops or accepts connections by default. Cipafilter  ships with the Default Policy set to ACCEPT . This mode is acceptable if the filter is in bridging mode  behind another firewall. However, if the filter is the firewall for your network, we recommend setting  the Default Policy to DROP . The DROP policy, while giving you specific control of the traffic passing  through the firewall, will require the creation of rules for any traffic that you wish to allow through the  firewall. Tech support will be happy to assist you with the creation of appropriate rules for your  network.

Below the Default Policy setting is an additional checkbox to Enable SIP ALG . SIP is a protocol best  known for its use in VoIP telephones, and ALG (application-layer gateway) is a feature that inspects and modifies SIP traffic to work with NAT (network address translation). On some networks, this feature can cause problems for VoIP devices, and can be turned off. It is enabled by default.

Firewall rule configuration is similar to that of port forwards:

  1. Action specifies how the firewall should respond when the rule is triggered. Accept allows the traffic  through, Reject blocks the traffic and notifies the client, and Drop blocks the traffic without notifying the client.
  2. Protocol specifies which network protocol the rule applies to. See Port Forwarding .
  3. Port(s) specifies the destination port number(s) the rule applies to. See Port Forwarding .
  4. Source Type specifies how sources (clients) will be identified. See Port Forwarding .
  5. Source specifies the value used to identify sources (clients) which corresponds to the selected Source  Type . See Port Forwarding .
  6. Destination Type is equivalent to Source Type , but for the destination of the traffic to be blocked or  allowed.
  7. Destination is equivalent to Source , but for the destination of the traffic to be blocked or allowed.
  8. Log controls connection logging for the rule. See Port Forwarding . Note that logging firewall rules  can have an even more significant performance impact than logging port forwards (especially with  Drop rules, since each dropped packet is logged as a new connection).

The firewall is fully integrated with the port-forwarding system. Make firewall rules using the  actual private IP addresses of your internal devices, not the public IP addresses from which traffic is being port-forwarded.

Connections are only matched against the firewall when they are first opened. If you change the  firewall, any established connections will remain open even if the new firewall rules prohibit them.

The end-user Firewall feature does not apply to the Cipafilter itself, only to the traffic flowing  through it. In practice, this means rules usually apply only to traffic between two different subnets (since  devices on the same subnet can communicate directly). The filter automatically adjusts its own input  firewall based on the configuration of the system to ensure proper operation.

ICMP Firewall

If you are experiencing a problem with ICMP traffic, enable the ICMP Firewall and select the types of  ICMP packets you wish to let through.

Always allow ICMP fragmentation-needed packets. These packets are required by Path MTU  Discovery. If fragmentation-needed packets are blocked, you may experience problems where you can transmit small amounts of data over a connection, but large amounts cause the connection to hang.



    • Related Articles

    • Manual

      This article provides links to the individual sections of the Cipafilter product manual.  A PDF of the Cipafilter product manual is attached to this article. Introduction Interface Conventions Installation Status Management Users Hot Spare ...
    • Manual - Introduction

      Cipafilter is a powerful routing platform capable of delivering an evolving tool set to protect your enterprise. Cipafilter's philosophy is to provide a cuing edge, well rounded, and aggressive network control solution to meet your current and future ...
    • Manual - Web Filtering

      The first thing to decide with regard to Web filtering is whether to run individual subnets in transparent or non-transparent (proxy server) mode. Transparent mode  — no client configuration is required, the Cipafilter simply intercepts all traffic ...
    • Manual - Network Diagnostics

      The Network Diagnostics page serves as a basic front-end for common network troubleshooting utilities such as ping and traceroute.  These utilities can be used to confirm the filter's Internet connectivity and network configuration: The automatic ...
    • Manual - Installation

      In most cases you will want to consult with Cipafilter support to decide what way the router can best be installed to meet your needs.  A full over-the-phone consultation during installation is included in the standard one-year maintenance and ...