Processing of access rules does not necessarily need to be associated with the physical network environment on the box level of a CloudGen Firewall. On systems equipped with multiple network interfaces, you can explicitly define specific interfaces for usage when a rule comes into action.
An interface group specifies the interface that the source address is allowed to use. When you create access rules, you can use predefined groups, or if you want to reference custom interfaces that are not in the default list, you can create custom interface groups. For each rule an interface may be assigned to origin and destination of the connection request when selected in the Connection Objects settings .
Predefined Interface Groups
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
- From the left menu, expand the Firewall Objects menu and select Interface Groups.
The following predefined network interface objects are available for selection:
Any – With this setting the first interface matching the request is utilized for the connection in accordance with routing configuration. The packet source is not verified. Reply packets might be forwarded through another interface, if multiple interfaces capable of doing so are available. Not to check the physical source of packets might sometimes be needed in very special configurations.
Matching (default) – This setting ensures that arriving packets are processed through the same interface, which will forward the corresponding reply packets. Source and destination addresses are thus only reversed. This method aims at preventing a network attack, in which an attacker might try using internal addresses from outside the internal network (IP spoofing).
- RAM, ADSL, DHCP, ISDN, SERIAL, 3G, ... – Explicitly restricts rule processing to the specified dynamic network interface (if installed and configured).
Create an Interface Group
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
- Click Lock.
Right-click the table and select New.
- In the Edit/Create an Interface Group window, enter a descriptive Name for the interface group.
- From the Interface drop-down list, select your desired option:
match (default) – This setting ensures that arriving packets are processed through the same interface, which will forward the corresponding reply packets. Source and destination addresses are thus only reversed. This method aims at preventing a network attack, in which an attacker might try using internal addresses from outside the internal network (IP spoofing).
any – With this setting the first interface matching the request is utilized for the connection in accordance with routing configuration. The packet source is not verified. Reply packets might be forwarded through another interface, if multiple interfaces capable of doing so are available. Not to check the physical source of packets might sometimes be needed in very special configurations.
- eth0 - 4 – Lets you select a specific port.
- dhcp – Explicitly restricts rule processing to the specified dynamic network interface (if installed and configured).
- Click Add to add the interface to the list.
- Click OK.
- Click Send Changes and Activate.