Firewall

Zentyal uses the Linux kernel subsystem called Netfilter [2] for the firewall module, providing filtering, packet marking and connection redirection capabilities.

[2]Netfilter: http://www.netfilter.org/

Firewall configuration with Zentyal

Zentyal’s security model is based on delivering the maximum possible security with the default configuration, trying at the same time to minimize the effort when adding a new service.

When Zentyal is configured as a firewall, it is normally installed between the internal network and the router connected to the Internet. The network interface which connects the host with the router has to be marked as External in Network ‣ Interfaces. By doing this, the firewall establishes stricter filtering policies for external connections that use these interfaces.

External interface

External interface

Zentyal denies by default any attempt to connect to the system through external interfaces. In the case of internal interfaces, it only allows connections targeted to the services defined by the installed modules. Every time a Zentyal module is installed, Zentyal automatically adds the necessary firewall rules to enable the new services. These rules can be modified later by the administrator. The default configuration for outgoing connections from internal networks and from the server itself is to allow all.

You can define the firewall policies in: Firewall ‣ Packet filtering.

Sections of the firewall, depending on traffic flow

Sections of the firewall, depending on traffic flow

Each one of the sections above is in charge of controlling different traffic flows, depending on their source and destination:

  • Filtering rules from internal networks to Zentyal (example: allow access to Zentyal’s file server from the local network).
  • Filtering rules for internal networks (example: restrict access to Internet from a set of hosts, forbid the DMZ to access other LAN segments).
  • Filtering rules from external networks to Zentyal (example: allow any host in the Internet to access the Webmail module).
  • Filtering rules for traffic coming out from Zentyal (example: connections going from the server itself to the external or internal networks).

You have to take into account that allowing Internet connections to Zentyal services could be potentially dangerous. It is recommended to study the security implications before modifying the third set of rules.

Schema illustrating the different traffic flows in the firewall

Schema illustrating the different traffic flows in the firewall

By studying the schema above, you can determine where you can find the type of traffic you want to control in the firewall. The arrows only signal the source and destination. Naturally, all the traffic must go though Zentyal’s firewall in order to be processed.

For example, the Internal Networks arrow, which goes from LAN 2 to Internet, represents one of the LAN hosts, that is the source, and a machine in the Internet, that is the destination. The connection will of course be processed by Zentyal which is the gateway for the host in question.

Zentyal provides a simple way to define the rules that will compose the firewall policy. The definition of these rules uses the high-level concepts as defined in Network services section to specify the protocols and ports to which to apply the rules and in Network objects section to specify on which source or destination IP addresses they apply.

List of packet filtering rules from internal networks to Zentyal

List of packet filtering rules from internal networks to Zentyal

Normally each rule has a Source and a Destination which can be Any, an IP address or an Object, in case that you want to specify more than one IP address or MAC addresses. In some sections the Source or Destination are omitted because their values are already known. For example, Zentyal will always be the Destination in the Filtering rules from internal networks to Zentyal and Filtering rules from external networks to Zentyal and always the Source in Filtering rules for traffic coming out from Zentyal.

Additionally, each rule is always associated with a Service in order to specify the protocol and the ports (or range of ports) that apply to the rule. The services with source ports are useful for rules related to outgoing traffic of internal services, for example, an internal HTTP server. On the other hand, the services with destination ports are useful for rules related to incoming traffic to internal services or outgoing traffic to external services. Is important to note that there is a set of generic labels that are very useful for the firewall like Any to select any protocol or port, Any TCP or Any UDP to select any TCP or UDP protocol respectively.

The most relevant parameter is the Decision to take on new connection. Zentyal allows this parameter to use three different decisions types:

  • Accept the connection.
  • Deny the connection, ignoring incoming packets and telling the source that the connection can not be established.
  • Register the connection as an event and continue evaluating the rest of the rules. This way, by using Logs ‣ Log query ‣ Firewall you can check which connections were attempted.

The configured rules are inserted into a table where they are evaluated “from top to bottom”. Once a DENY/ACCEPT rule applies to a connection, the packet is immediately processed and the evaluation process starts with another packet. Keep in mind that when the packet is processed, filtering stops, so the rules below it are not considered. Exceptionally, the REGISTER type of rule generates the log and continues evaluating the packet through the rest of the rules until it finds one that applies.

It is important to remember that a generic rule at the beginning of the table can cause a more specific later rule not to be evaluated. The order of the rules in the tables is very important.

You also have the option to apply a not logical to the rule evaluation by using Inverse match in order to define more advanced policies.

Creating a new rule in the firewall

Creating a new rule in the firewall

By default, the decision is always to deny connections. Therefore, you have to add explicit rules to allow them. There are a series of rules which are automatically added during installation to define an initial version of firewall policies: allow all the outgoing connections to external networks (the Internet) from the Zentyal server (in Filtering rules for traffic coming out from Zentyal) and also allow all the connections from internal to external networks (in Filtering rules for internal networks). Additionally, each installed module adds a series of rules in sections Filtering rules from internal networks to Zentyal and Filtering rules from external networks to Zentyal normally allowing traffic from internal networks and denying from the external networks. Only the parameter Decision needs to be changed and you do not need to create a new rule. Note that these rules are added during the installation process of a module only and they are not automatically modified during future changes.

Finally, there is an optional Description field to add a comment on the purpose of the rule within the global firewall policy.