# Policy

# Security Policy

FWCloud-UI allows you to create a Security Policy in a graphical, intuitive and an easy to use web user interface. The security policy is based on IPTables, so you will expect to find INPUT, OUTPUT and FORWARD chains, as well as SNAT and DNAT. You can configure the policy for IPv4 and for IPv6.

Out of the box, your firewall will have a scaffold with a minimum set of basic rules.

Don't forget IPv6

Remember that IPv6 is now functional in the majority of Linux based and Windows systems. Some installations that seams to be quite secured have security issues when related to IPv6.

When you create a new firewall using FWCloud-UI you will have the minimum rules configured.

When you need to add a new rule, unfold the firewall group you want to add it to, unfold IPv4 or IPv6 policy group and select the appropriate chain: INPUT, OUTPUT, FORWARD, SNAT or DNAT.

On the policy panel you will see all the rules of that chain. Decide the position for the new rule. Right click on the leftmost side of the rule (that is, on the number of the rule) that occupies that position and select in the context menu Create new rule above or Create new rule below according to your criteria.

Create Rule

You will get a new rule added with Any value in the many of its fields.

New Rule

To customize this rule according to its objective you just need to drag and drop elements on the fields. The majority of the operation in FWCloud-UI are done by drag and drop.

Copy and Paste

Sometimes is easier making copy of a previous rule and modified it than create a new one. Just right click on the left side of the rule and select Copy. Then go to the right position, right click again an select Paste above or Paste below.

It is possible too to select and copy several rules, not only one.

When you modify the policy of a firewall, by adding or changing any rule, two new icons appear next to the firewall name.

The orange C indicates the new policy needs to be compiled, and the I that it also needs to be installed in the target firewall.

# Policy Rules

# Rules

The security policy is composed of firewall rules. In FWCloud-UI any rule is graphically represented as row in a table. The columns of the table are the fields of the rule.

Create Rule

When you need to add a new rule, unfold the firewall group you want to add it to, unfold IPv4 or IPv6 policy group and select the appropriate chain: INPUT, OUTPUT, FORWARD, SNAT or DNAT.

Not all rules have the same fields, depending on the firewall chain you are creating the rule. FWCloud-UI only allow you to fill in the appropriate fields

On them you can drag and drop interfaces, IP addresses, networks, prefix, etc. Check Objects section to know the kind of objects that can be used in a rule.

# Create new rule

In order to create a new rule go to the corresponding firewall and expand it by clicking on the > symbol. You can create rules for IPv4 and IPv6 protocols. Expand the protocol and select one of the showed chains (INPUT, OUTPUT, FORWARD, SNAT, DNAT) The Policy panel will be changed to show all the current rules of that chain. Now decide the position for the new rule. Right click on the leftmost side of the rule (that is, on the number of the rule) that occupies that position and select Create new rule above or Create new rule below according to your criteria.

Create Rule

You will get a new rule added with Any value in most of its fields. This is kind of template for the new rule, you will need to customize this rule according to its objectives. Now just drag and drop elements on these fields. The majority of the operation in FWCloud-UI are done by drag and drop.

# Compose rule

A FWCloud rule is composed by drag and drop elements from the left panel of the FWCloud-UI to the proper box of the rule. For instance, let's suppose you start from a fresh new rule like this:

Create Rule

and you want to add the interface eth0 [LAN] in the In field. Just click on eth0 [LAN], drag it ...

Create Rule

and drop it in the In box,

Create Rule

then continue with eth1 [WAN] in the Out field ...

Create Rule

and the rest of the fields ...

Create Rule

until the rule is exactly as you want it:

Create Rule

Important note

In order to avoid creating a rule than could lead to an incorrect policy, FWCloud-UI detects when you are adding and empty group, that is, a group with no elements in it.

Empty group error

# Select rules

To select a rule just click on the rule number on the left. Multiple selection is possible. To select a group of contiguous rules click on the first rule and then holding the shift key click on the last rule of the range. To select a group of rules individually hold the control key when selecting the rules. Rules selected have a gray background color on the number of the rule.

In the next figure, rules with id 5, 7 and 8 are selected, while rule 6 is not

Multiple rules selected

# Edit rule

Some rules can need options that cannot be accomplished by drag and drop. In these cases right click the number of the rule and select Edit rule or just double click on the number of the rule

Rule Edit

Editing a rule allow you to modify its properties

Rule Options

Here you can set if an individual rule takes into account the state of the connections with matching the packets or not. FWCLoud-UI configures all rules as stateful if the "Stateful firewall" is set on the firewall options (this is the default), otherwise the rules are stateless.

Also can be activated the log of the packets that are matched by this rule. The output of the log is registered in syslog prefixed by the rule number. When the log is set, a rate limit of 60/minute is applied to the rule.

When the options of a rule are modified a small gear icon Gear icon appears by the rule number.

# Rule scripts

We can make the policy rules to launch scripts. We call them "Hook scripts". They can be executed before or/and after the rule is loaded into the firewall. To associate them to a rule we just need to edit the rule an write the commands we want to be invoked in the proper text box.

Rule Options

Here we can put any shell command or executable file. These text fields are limited to 65000 characters, for more structured scripts it is better to write them in a separate file. The commands detailed here will be executed by the user employed to load the policy.

This feature is very important to be able to employ FWCloud in conjunction with other programs that also modify the system secure policy. For example we can make fail2ban ban an IP address right before loading a particular rule that allows ssh traffic, just adding "/usr/bin/fail2ban set sshd banip 23.34.45.56" in that rule.

If we want to load a bunch of iptables rules before the FWCloud policy we can write them in a script file and associate it to the Before-hook-script of the first rule of FWCloud.

We have to take into account that when the security policy is loaded, all the previous security rules are replaced by the new ones detailed in FWCloud-UI.

When a rule has associated scripts, it is graphically represented by an Hook script icon icon next to the rule number. Also if we hover the mouse over this icon we a pop up messages show us this rules has scripts.

Hook script message

The scripts are also shown when we compile the rule. Next there is an example of a rule executing two scripts:

Hook script compilation

# Copy Rule

When composing or modifying a rule you can copy the objects from the rules you previously have and paste them in the new field.

Also for your convenience you can make a copy of a rule, right click on the number of the rule, select Copy and then right click the number of another rule and select Paste above or Paste below from the context menus.

Copy Rule

This action can be done in more than one rule if you keep them selected.

When a rule or rules have been copied to the clipboard a small icon Copy Rule Icon appears at the bottom of the policy panel. If you click on it you can see the messages indicating the number of rules copied. You can removed them from the clipboard by clicking on the litter bin icon of the message.

Copy Rule Msg

# Cut rule

In order to sort your rules you can cut a rule and paste on another position. This can be done by selecting Cut and then Paste above or Paste below from the context menu of the rules.

Cut Rule

Also multiple selection of rules is allowed for this action.

Once the rule or rules are cut you can see a Copy Rule Icon red icon. If you click on it you can see the rules that are cut and pending to be copied

Copy Rule Icon

# Move rule

Rules can be moved in order to compose the secure policy. To move a rule right click on the number of the rule, select Move above or Move below until the rules gets it right place.

Move Rule

You can do it with multiple rules if the are selected.

# Change rule color

To better distinguish one rules from others or which part of the policy they affect, the background color of these can be modified.

Rule Color

You can modify the color using the color picker form. The most used colors will be remembered in order of use, to make it easy to reuse a previous used color

Color Picker

It is possible to change the color of multiple rules at the same time.

# Delete rule

If you thing a rule is not going to be needed it can be removed from the policy. Right click on the rule number and select Delete rule.

Move Rule

Multiple selection of rules can be done for this action.

# Disable rule

Sometimes you want temporarily disable a rule but not deleted. Right click on the rule number and select Disable rule.

Disable Rule

When a rule is disabled it is blurred and a white cross over red background appears by the rule number.

Disabled Rule

To re-enable the rule again select Enable rule in the context menu.

You can disable or enable all the rules that are selected.

# Compile rule

When creating your secure policy if you want to known beforehand how a rule will look like in iptables when installed in your firewall, right click the number of the rule and select Compile selected rule.

ompile Rule

And a pop up windows will show the rule compiled.

Compile Rule Form

# Groups

In order to organize the secure policy you can put rules into groups. First you need to create a group. A group is created from a rule than will go into it. Right click that rule and select Create group.

New Group

And fill the form with the name of the group.

Group Form

By anytime you can rename a group of rules by editing it.

Edit Group

In order to add a rule to the group move it until is next to the group. Then right click on the rule number and select Move to the group above or Move to the group below.

Add Rule in a Group

If a rule needs to be out of a group, right click and select Remove them from group.

Remove Rule from a Group

The groups can be collapsed or expanded to the display the rules inside them. Also you can change the color of the group in order to visually separate one group from another.

Color Group

Group Color Example

If a group is not longer needed, it can be deleted.

Delete Group

# Load Policy

In order to load the secure policy into a firewall you need to compile it (visit Compile firewall section) and then install it (visit Install firewall section).

The policy will take effect immediately after installed into the firewall.