How to Configure Firewall Options

Last Updated for InterWorx-CP version 2.1.0

No special prerequisites.

The following procedures explain how to configure firewall options using InterWorx-CP. The most common configuration options are exposed in the InterWorx-CP interface. As with many of the system services, a system administrator still retains the ability to configure the service by editing the configuration file directly.

1. Click on the Server menu if it is not already expanded.
2. Click on the ♦    Firewall item.
3. You should now be looking at the Firewall controls in the main content area.
4. Locate the Firewall Information section.
5. Change the option(s) you wish to update to the desired value(s).
6. Click the Update button.

When Debug Mode is On, the firewall rules will automatically flush every 5 minutes. This allows you to test your firewall rules and prevent you from locking yourself out of your system. Once you have the firewall set up, turn debug off.

Setting this option affects network response. The following options are:

• Minimum delay – Set this option when low latency (the time it takes for a data to travel from the source host to destination host) is most important.
  
• Maximum throughput – Set this option when the volume of data transmitted in any period of time is important, and latency is less important.
  
• Maximum reliability – Set this option when it is important that you have some certainty that the data will arrive at the destination without retransmission being required.

Linux Network Adminstrators Guide

Setting this option determines how TCP packets are filtered. The following options are:

• Reset – Sends a tcp-reset. This is the TCP/IP default.
  
• Drop – Drops the packet.
  
• Reject – Rejects the packet.

Setting this option determines how UDP packets are filtered. The following options are:

• Reset – Sends a tcp-reset response. This is the TCP/IP default.
  
• Drop – Drops the packet.
  
• Reject – Rejects the packet.
• Prohibit – Sends an icmp-host-prohibited response.

Set this option if you intend to participate in the MBONE, a high bandwidth network on top of the Internet which carries audio and video broadcasts.
More about MBONE

Set this option to block all private IPv4 addresses. Leave this option off if this host resides behind a firewall with NAT or routing scheme that otherwise uses private addressing.

This is the maximum number of “sessions” (connection tracking entries) that can be handled simultaneously by the firewall in kernel memory. Increasing this value too high will simply waste memory; setting it too low may result in some or all connections being refused, in paticular during denial of service attacks.

These are sysctl hook changes to further harden the kernel from network attack trends by lowering standard time-out values and other time based packet responses.