Koozali automatically generates the firewall ruleset that is consistent with the server settings, and is automatically regenerated whenever the server settings are changed.
Using standard Network Address Translation (NAT) you would say incoming traffic on port 4321 should be allowed and routed to LAN IP address such-and-such 9and port number this-or-that).
Let us say that your service needs to provide a public service on TCP/IP port 4321, which is normally blocked by the firewall rules. All that you need to do is define this in Koozali as an additional custom service:
config set myservice service TCPPort 4321 access public status enabled signal-event remoteaccess-update
Note that a firewall hole is only opened if three things are true – the service has a TCPPort (or UDPPort) definition, the service is set to public access, and the service is enabled.
Public vs Private
Private allows LAN access to the
Run the commands above, and then these ones:
cp /etc/rc.d/init.d/masq /tmp config setprop myservice access private signal-event remoteaccess-update diff -u /etc/rc.d/init.d/masq /tmp/masq
This will produce output something like this:
- # myservice: TCPPort 4321, AllowHosts: 0.0.0.0/0, DenyHosts:
- /sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 4321 \
- --destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT
+ # myservice: TCPPort 4321, AllowHosts: , DenyHosts:
/sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 4321 \
--destination $OUTERNET --jump denylog
The output above is the differences between two copies of the firewall rules – the first (marked with minus signs) is when myservice was set to public.
The second (marked with plus signs) is when the service was set to private.
Both public and private will allow LAN clients to connect to the server (= port).
Public allows incoming connections from the outside ($OUTERNET –jump ACCEPT) whereas Private does not ($OUTERNET –jump denylog).
Restricting services to specific external hosts: AllowHosts and DenyHosts
As well as being set to public and private, it is possible to allow or deny remote machines access to a particular service (= port). Let’s make the service public once more, but limit access to one host and one subnet:
config setprop myservice access public config setprop myservice AllowHosts 1.2.3.4,100.100.100.0/24 signal-event remotaccess-update diff -u /etc/rc.d/init.d/masq /tmp/masq
which should produce output something like this:
- # myservice: TCPPort 4321, AllowHosts: 0.0.0.0/0, DenyHosts:
+ # myservice: TCPPort 4321, AllowHosts: 1.2.3.4,100.100.100.0/24, DenyHosts:
/sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 4321 \
- --destination $OUTERNET --src 0.0.0.0/0 --jump ACCEPT
+ --destination $OUTERNET --src 1.2.3.4 --jump ACCEPT
+ /sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 4321 \
+ --destination $OUTERNET --src 100.100.100.0/24 --jump ACCEPT
/sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 4321 \
--destination $OUTERNET --jump denylog
The firewall rulesets are automatically changed so that instead of allowing access from all hosts 0.0.0.0/0, they now two specific rules to allow the host and network specified, and a new –jump denylog rule which blocks and logs any others.
Note: Hosts which are not listed in AllowHosts are denied, if this property is configured.
There is also a DenyHosts property which generates rules to block specific hosts, if this is required. If there is a specific reason to limit access to a service, you should normally use AllowHosts to list the ones which do require access. The DenyHosts property is provided for completeness and can be useful in specific situations, for example for geoblocking IP address ranges.
A separate article how to block riffraff using DenyHost is available on this website – simply search for ‘riffraff’.
If you need a dedicated firewall device in your business (using 100MBps or gigabit speeds), the popular open source firewall implementation pfSense running on BSD may be of interest.
Easy.