10.3 Easy Filter Configuration
-
All NBM/On Server (NSBS)/Off Server services are logically grouped together and listed as services
-
Falling back to default filters is possible
-
Clearing all kinds of filters and exceptions on the selected server is easier
-
All policies are listed in one page
-
Creation of service-based exceptions is easier
The following sections describe steps to configure filters and exceptions using Easy Filter Configuration to allow specific IP services through the Novell® BorderManager® 3.9 firewall.
10.3.1 Configuring Filters for Novell BorderManager services
To configure filters for Novell BorderManager Services do the following:
-
Log in to iManager, then select .
-
From the list, select the server where the filters are to be configured by clicking the icon and then click .
-
From the drop-down list, select the public interface of the server where the filters/exceptions are to be configured.
-
To enable the filter for a service, select the corresponding check box under .
You can configure filters and exceptions for the following NBM services:
-
HTTP and Secure HTTP Proxy
-
FTP Proxy
-
DNS Proxy
-
Mail Proxy
-
News Proxy
-
Real Audio Proxy
-
RTSP Proxy
-
Transparent Telnet Proxy
NOTE:If you enable exceptions for proxy with the option, it creates two default filters to deny all incoming and outgoing connections, thus creating exceptions to allow only HTTP and HTTPS traffic.
-
-
To enable the log for a service, select the corresponding check box, under .
IMPORTANT:When you enable this option, the header of the packet that match the options in the filters or exceptions is logged if you have enabled both global logging status and filters/exception logging status. This is placed in the directory sys:\etc\logs\ippktlog. If you disable the option, the packets that match the options in filters or exceptions are not logged. Datalogging slows down the server’s performance and therefore should be kept on only for a short time.
-
To enable the stateful filter for a service, select the corresponding check box under
If stateful filtering is enabled in a filter rule, a dynamic filter is also created in the reverse direction. The reverse filter is created with the information such as source IP address, source interface, source port, destination IP address, destination interface, and destination port. This information is stored in a table which is later used to compare against the reply.
-
Click . A page listing the filters that were added is displayed.
NOTE:Use the List All Firewall Policies option to delete any filter. For more information, see List All Firewall Policies.
10.3.2 Configuring On-Server Service Exceptions
All Novell Small Scale Business Suite (NSBS) services are grouped and listed under On-Server Services. On-Server is the server where all the services and firewall are running. You can configure exceptions to the On-Server Services here.
To configure filters and exceptions for On-Server Services, complete the following steps:
-
Log in to iManager, then select .
-
From the list, select the server where the filters are to be configured by clicking the icon and then click .
-
Select the tab.
-
To enable the filter for a service, select the corresponding check box under ..
The On Server services (NSBS) are grouped into five main service headings, under which various services are available:
-
Mail Messaging Services
-
Groupwise® Internet Agent
-
Groupwise Web Access
-
Groupwise PO Agent
-
Groupwise Mail Transfer Agent
-
-
File Services
-
iFolder®
-
Apple* Filing Protocol
-
Common Internet File System
-
Network File System
-
Network Attached Storage Device
-
-
Print Services
-
iPrint
-
Line Printer Daemons
-
Novell Distributed Print Services™ (NDPS®)
-
-
Network Management
-
ZENworks® for Desktop 3
-
ZENworks for Server 2
-
ZENworks for Server 3.2
-
-
Miscellaneous
-
iManager
-
WebServer
-
Remote Debugger
-
IMPORTANT:When you select enable log, it creates a log where the header of the packet that matches the options in the filters or exceptions is logged. Data logging slows down the server’s performance and you should turn it on only for a short period.
-
-
To enable the log for a service, select the corresponding check box, under .
-
Select the check box under to enable a stateful filter.
-
Click .
The results page is displayed.
10.3.3 Configuring Off-Server Service Exceptions
To configure Off-Server service exceptions, complete the following steps:
-
Log in to iManager, then select .
-
From the list, select the server where the filters are to be configured by clicking the icon and then click .
-
Select the tab.
-
From the drop-down list select the public interface where the exceptions are to be created.
This is either the LAN or WAN interface that connects your server to the Internet or other public network.
-
-
To enable the filter for a service, select the corresponding check box under .
Off-Server Services (where firewall and services run on different machines) exceptions are classified into two main categories, under which various services are available.
-
Proxy Services
-
HTTP and Secure HTTP Proxy
-
FTP proxy
-
Mail Proxy
-
News Proxy
-
Real Audio Proxy
-
RTSP proxy
-
DNS Proxy
-
Transparent Telnet Proxy
-
-
Other Services
-
Mail Server
-
Web Server
-
FTP Server
-
DNS Server
-
-
-
To enable the log for a service, select the corresponding check box, under .
-
Select the check box under to enable a stateful filter.
If stateful filtering is enabled in a filter rule, a dynamic filter is also created in the reverse direction that is defined by the filter rule.
-
Indicate whether the proxy server is behind or outside the firewall by selecting the respective radio buttons.
-
Select if the service is behind the firewall and the traffic to the Internet has to pass through the firewall.
-
If the service exists before the firewall and the traffic coming from the Internet has to pass through the proxy and the firewall, then select .
-
-
Specify the server IP address of the proxy where the services are running in the Server IP Address field, then click .