Note

You are viewing the documentation for an older release of Interworx (6.x). To see documentation for the current generally available release of Interworx, click here: 7.13.

How to: Manage Firewall Options

InterWorx Control Panel integrates with the APF iptables firewall system. Uses have fine grained control over the firewall configuation on the server, including individual port control, and global IP access and deny lists.

The following procedures explain how to configure firewall options using InterWorx Control Panel. The most common configuration options are exposed in the InterWorx Control Panel interface. As with many of the system services, a system administrator still retains the ability to configure the service by editing the configuration file directly.

Firewall Options Reference:

Firewall Debug Mode

When Debug Mode is On, the firewall rules will automatically flush every 5 minutes. This allows you to test your firewall rules and prevent you from locking yourself out of your system. Once you have the firewall set up, turn debug off.

Default Type of Service

Setting this option affects network response. The following options are:

  • Minimum delay - Set this option when low latency (the time it takes for a data to travel from the source host to destination host) is most important.

  • Maximum throughput - Set this option when the volume of data transmitted in any period of time is important, and latency is less important.

  • Maximum reliability - Set this option when it is important that you have some certainty that the data will arrive at the destination without retransmission being required.

TCP Drop Policy

Setting this option determines how TCP packets are filtered. The following options are:

  • Reset - Sends a tcp-reset. This is the TCP/IP default.

  • Drop - Drops the packet.

  • Reject - Rejects the packet.

UDP Drop Policy

Setting this option determines how UDP packets are filtered. The following options are:

  • Reset - Sends a tcp-reset response. This is the TCP/IP default.

  • Drop - Drops the packet.

  • Reject - Rejects the packet.

  • Prohibit - Sends an icmp-host-prohibited response.

Block Multicasting

Set this option if you intend to participate in the MBONE, a high bandwidth network on top of the Internet which carries audio and video broadcasts.

Block Private Networks

Set this option to block all private IPv4 addresses. Leave this option off if this host resides behind a firewall with NAT or routing scheme that otherwise uses private addressing.

Maximum Sessions

This is the maximum number of “sessions” (connection tracking entries) that can be handled simultaneously by the firewall in kernel memory. Increasing this value too high will simply waste memory; setting it too low may result in some or all connections being refused, in particular during denial of service attacks.

Sysctl TCP

These are sysctl hook changes to further harden the kernel from network attack trends by lowering standard time-out values and other time based packet responses.