What is a step-action table

Description:

The creation of firewall rules in WEBconfig cannot be carried out in the same way as is possible with LANconfig, but a procedure and syntax that is described in this document must be used.

Info:
The procedure and syntax for Configuration of firewall rules in the LANCOM Management Cloud is described in this Knowledge Base article.


Requirements:


Method:

So that the action IDs described below do not have to be used in every firewall rule, it is advisable to create so-called firewall objects before creating the individual rulesthat in the rules then can be used over and over again.

There are also in the menu Configuration → Firewall / QoS → IPv4 rules → Firewall objects already prefabricated objects for the most common actions and protocols or source and destination addresses (ACCEPT, REJECT, DROP, ANYHOST, LOCALNET, etc.), which can be used for simple configuration of a firewall rule.

To the To clarify the procedure, become create the following firewall rules with WEBconfig as an examplet:

      • Block traffic from a specific source IP address
      • Allow HTTPS connections globally
      • Guarantee a minimum bandwidth of 256 kilobytes per second (QoS)
Example rule 1: block traffic from a specific source IP address:

1.1 Open the configuration of the LANCOM device in WEBconfig in the menu Configuration → Firewall / QoS → IPv4 rules → Firewall objects → Object table and click the button Add.

1.2 Award one meaningful namefor the object and enter as syntax % A followed by the IP address of the device a (e.g. % A10.10.10.1). Then click on OKto save the item.

Info:
in The Fieldvaluecan not do more than64 charactersbe entered. Aroundmore than 64 characters to be able to useObjects are nested. For instructions, see this Knowledge Base article.
1.3 Click onPutto apply the change.
1.4 Open the menuConfiguration → Firewall / QoS → IPv4 rules → Rule table and create a new rule.
  • Forgive one meaningful name for this rule.
  • There all protocols blocked you can use the pre-made rule ANY use.
  • As source will that be in Step 1.2 created object PC_IM_LAGER to be selected. If you not a prefabricated object would like to use the syntax at this point % A10.10.10.1 use.
  • The Goal ANYHOST indicates that the rule applies to all destinations.
  • As action Can you do this ready-made action object REJECT enter.

1.5 Click onPutto apply the change.

Example rule 2: Allow HTTPS connections globally:

2.1 Open the menu Configuration → Firewall / QoS → IPv4 rules → Rule table and create a new rule.

  • Forgive one meaningful name for this rule.
  • There all protocols allowed you can use the pre-made rule ANY use.
  • All clients in the network should be able to use HTTPS connections, so this can prefabricated object ANYHOST be entered.
  • The Target HTTPS indicates that the rule applies to all destinations. If you do not want to use the pre-built object HTTPS, at this point you would need the syntax % S443 use.
  • As action Can you do this ready-made action object ACCEPT enter.
2.2 Click onPutto apply the change.

Example rule 3: guarantee a minimum bandwidth of 256 kilobytes per second (QoS):

3.1 Open the router configuration in WEBconfig in the menu Configuration → Firewall / QoS → IPv4 rules → Firewall objects → Actions table and click the button Add.

3.2 Award one meaningful name for the action and enter as syntax % Qgds256 a. Then click on Putto save the item.

3.3 Open the menu Configuration → Firewall / QoS → IPv4 rules → Rule table and create a new rule.

  • Forgive one meaningful name for this rule.
  • There all protocols allowed you can use the ready-made rule ANY use.
  • The guaranteed minimum bandwidth should apply to all sources and all destinations, so here can the prefabricated ANYHOST object be entered.
  • As action can you do that in Step 3.2 Enter the created actions object. If you do that Do not want to use the created Actions object, at this point you would need the syntax % Qgds256 use.
3.4 Click onPutto apply the change.

Syntax for creating actions:

All actions can be combined with one another as required. For actions that cancel each other out (e.g .: "Accept" + "Drop"), the safer variant (in this case "Drop") is automatically selected.

Action ID to use
AcceptThe package is accepted
RejectThe package is rejected with a suitable error message
DropThe packet is silently discarded
Connect filterThe filter is active when there is no physical connection to the destination of the packet
Internet filterThe filter is active if the packet was received via the default route or is to be sent
SyslogOutputs a detailed message via syslog
MailSends an email to the administrator
SNMPSends an SNMP trap
Close portCloses the destination port of the packet for a specified time
Deny hostBlocks the sender address of the package for a specified time
DisconnectDisconnects the physical connection to the remote terminal via which the packet was received or should be sent
Zero limitResets the limit counter (see below) to 0 when the trigger threshold is exceeded

Important information about promotions:

1.) Close port
  • The affected port is entered in a blacklist
  • Further packets to the computer and port are discarded
  • The blocking time is specified in hours (h), minutes (m) or seconds (s) after the action ID (example: % pm10 blocks the port for 10 minutes)

2.) Deny host
  • The sender of the package is entered in a blacklist
  • The same syntax for specifying the time as for the close port action

3.) Connect-Filter / Internet-Filter
  • Without further action, the firewall will respond to a combination Reject out.

Syntax for creating limits:

Each action can be linked to a limit. Exceeding the limit is the trigger for the following action.

Limits are generally used with % l initiated. Next, the reference is given [i.e. Connection-related (c) or global (G)]. This is followed by the type of limit [so the data rate (d), the number of packages (p) or the package rate (b) meant].

Finally, additional parameters such as period and size are given.

Example:% lcds8

In this example, the limit takes effect if more than 8 kilobytes / s are transferred for the existing connection.

Action ID to use
Data (abs)Absolute number of kilobytes on the connection after which the action is carried out
Data (rel)Number of kilobytes per second / minute / hour on the connection after which the action will be performed
Packet (abs)Absolute number of packets on the connection after which the action is carried out
Packet (rel)Number of packets per second / minute / hour, or absolute on the connection, after which the action is carried out
global data (abs)Absolute number of kilobytes sent to or received from the target computer after which the action is carried out
global data (rel)Number of kilobytes per second / minute / hour sent to or received from the target computer after which the action will be carried out
global packet (abs)Absolute number of packets sent to or received from the target computer after which the action is triggered
global packet (rel)Number of packets per second / minute / hour sent to or received from the target computer after which the action is carried out
Receive optionRestriction of the limit to the receiving direction (this works in connection with the above limitations). Examples are given in the Object-ID column
transmit optionRestriction of the limit to the sending direction (this works in connection with the above limitations). Examples are given in the Object-ID column

Information on the use of "Quality of Service"

  • Quality of Service objects (QoS objects) represent special limits through which a minimum bandwidth can be guaranteed.
  • The same conventions apply as for the limit objects.
  • QoS objects are introduced by% q and differ from limit objects only in that the following packets are still accepted after the threshold has been exceeded.
  • Here, the specification of the accept action both as a main action and as a triggered action can be omitted and the description can be shortened accordingly.

    Example:% a% qcds8% a% lgds32% d =% qcds8% lgds32% d

Syntax for creating firewall objects:

objectdescriptionObject ID to useexample
LOCALNETAll local networks% L
ANYHOSTAny networks% A0.0.0.0% M0.0.0.0
Remote stationInternet / VPN / PPTP / ISDN / L2TP remote terminal%H% BACKGROUND
HostnameDNS name of a network participant% D% DServer01
MAC addressMAC address of a network participant% E% E00: A0: 57: 12: 34: 56
IP addressIP address of a network participant% A% A10.0.0.1
NetmaskSubnet mask% M% M255.255.255.0
protocolTCP, UDP, Ping, etc.% P% P6 for TCP
Service (port)Services such as HTTPS as well as self-defined ports and port ranges% S% S443 for HTTPS

Identical objects can be combined in lists by separating the entries with a comma (e.g. % A10.0.0.1, 10.0.0.2) or separated by a hyphen (e.g. % S20-25).

The specification of a "0" or a space denotes the object ANY.