Setting a firewall

[Update: May 16, 2019]

The following is an explanation on how to set a firewall function of the VPC router.

1. Overview

The firewall provides the following functions at each interface on the WAN side and LAN side of the VPC router.

  • Filtering based on the rules that specify the inbound/outbound packets for each interface.
  • Automatic permission of return packet of internal to external communications by stateful inspection
    *Only available for the premium plan and high spec plan. (operation by combination with the [Static NAT Function]
  • Packet filtering for the VPC router itself (*)

*Destruction of packets for TCP/UDP ports that are not open (The ports used for PPTP, L2TP/IPsec, and site-to-site VPN are open only when each function is used.)

2. New setting of firewall rules

The setting of firewall rules is done by selecting the [Firewall] tab from the settings screen of the VPC router you want to configure. If the rule setting has already been done, the list of already set rules will appear on the list screen.

To add new rules, select the interface to be configured from the tab displayed at the top of the list screen and click the [Add] button at the bottom of the list screen of [Incoming] or [Outgoing] respectively.

As the screen to add rules will appear, enter each item.

Protocols Select the filtering target protocol from TCP/UDP/ICMP/IP.
Source network Enter the source IP address or network (e.g. 192.168.0.0/24).
Source port Enter the source port number as an integer in the range from 1 to 65535, or specify the range using a hyphen (example: 1024-65535).
*If [ICMP] or [IP] is selected for protocol, it will not be displayed.
Destination network Enter the destination IP address or network.
*Private IP address after port forwarding or static NAT application.
Destination port Enter the destination port number as an integer in the range from 1 to 65535, or specify the range using a hyphen. (example: 1024-65535)
*If [ICMP] or [IP] is selected for protocol, it will not be displayed.
Action Select either [Allow] or [Deny] processing for packets that match the conditions.
Save logs When [Valid] is selected, transmissions that match the rules are logged.
Explanations You can enter arbitrary character strings such as explanation of rules.

*Items that are left blank are set as a match with any condition.
*The number of rules that can be set is 60 (standard plan) or 200 (premium plan/high spec plan) for incoming and outgoing, respectively, including the interface.
*The packets that do not match any conditions will be allowed to go through the firewall.
*In the premium plan/high spec plan, the return packet of communication from inside to outside is automatically permitted by the static NAT function (stateful inspection function).

After completing the setting, you need to click the [Apply] button to update the settings to the VPC router side. (even if the VPC router is in the active state, the setting is updated by clicking the [Apply] button without turning it off.) Also, if the power is in the “DOWN” state, select [Start] from the power operation menu and activate the VPC router.

The number of rules that are already set and the upper limit number of the setting (60 for the standard plan, 200 for the premium plan and high spec plan, for incoming and outgoing directions, respectively) are shown at the top of the list screen.

3. Editing firewall rules

The added rules are evaluated in order of registration number, and if it matches the condition, the action (allow or deny) set in the [Action] will be performed. Change the set rule list as necessary so that the rules work under the assumed conditions.

You can change, edit or delete the order of rules as follows with the icon on the right of the list screen.

Icons Explanations
../../_images/icon-pencil.png A screen that looks the same as adding rules will appear, and you can edit rules.
../../_images/icon-list.png You can change the order of the rules by dragging and moving them.
../../_images/icon-cross.png You can delete the rules.

*After completing the setting, click the [Apply] button to update the setting to the VPC router side.

4. Setting examples of firewall rules

Allow only incoming communications to HTTP (TCP/port number 80) and deny all incoming communications to other ports.

Since all servers under the VPC router are web servers, this is an example of allowing only incoming connections to the HTTP services and denying all connections to other services such as SSH.

*The rule of [Outgoing] is not defined yet.

Allow SSH (TCP/port number 22) only from the 203.0.113.0/24 network.

This is an example when SSH connection is allowed to each server under the [Private 1] interface only from the in-house network “203.0.113.0 / 24.”

*Rules for [Outgoing] have not yet been defined.
*Since it is a private interface, [Incoming] and [Outgoing] are the opposite of the global interface.

Deny operation of unnecessary service from the internal server.

This is an example of the case where packet transmission to the outside is prevented when SMTP (port number 25) and DNS (port number 53) services operate unintentionally in the server under the VPC router.

*Set in the [Outgoing] rule.

5. View firewall log

Click the [Log] tab in the details screen of the VPC router, and click the [FW Incoming] and [FW Outgoing] tabs. The log will be displayed.

*The latest 100 recorded logs will appear.
*We do not have a plan to implement the function to show the past logs older than the latest 100 records on the control panel. Please use the syslog transfer function.