Differences in Revisions: Firewall Options

fixed links
# Firewall Options
 
The firewall options page provides an easy way to modify different firewall options in a graphical way or to adjust the logging characteristics on multiple network packets. One of the most important point is to take control on the policy and the default behaviour of the forward and outgoing firewall.
The firewall options page provides an easy way to modify different firewall options in a graphical way or to adjust the logging characteristics on multiple network packets. One of the most important point is to take control on the policy and the default behavior of the forward and outgoing firewall.
 
 
## Masquerading/NAT
 
This part has been moved to [](./masquerading)
This part has been moved to [](masquerading).
 
 
## Logging
 
This section allows you to individualize the logging output of dropped network packets by your firewall.
 
 
![](/configuration/firewall/en_firewall_options_firewall_logging.png)
 
### Log dropped NEW not SYN pakets
 
When a system is connected to the internet with a dynamic IP and the used address has been changed, you may receive traffic which was addressed to the former owner of this address. This could happen because in some cases the sender didn't get informed that the address of his recipient has been changed and network packets of established connections will be sent to you. IPFire will mark them as new but without a known connection. They will be dropped and logged by the firewall as "NEW not SYN" packets.
 
### Log dropped input packets
 
Packets which have been dropped by the firewall input chain get logged. With this feature you can switch on/off the logging of them.
 
### Log dropped forward packets
 
Like to the option above, but the logging of dropped forward packets can be adjusted.
 
### Log dropped outgoing packets
 
Similar than input packets. The logging of dropped outgoing packets can be changed.
 
### Log dropped portscan packets
 
This option can be used to disable the logging of all dropped packets which have been recognized to be potential bad TCP traffic.
 
### Log dropped wireless input packets
 
This function allows you to disable the logging when traffic of unauthorized clients on the blue network zone got dropped.
 
### Log dropped wireless forward packets
 
By using this option, the logging of dropped network packets from the blue to the green or orange zone can be disabled or re-enabled.
 
 
## Firewall options for BLUE interface
 
This section only will be displayed after a blue network zone has been installed and configured. It can be used to change the firewall characteristics on this network zone for different known cases.
 
![](/configuration/firewall/en_firewall_options_firewall_blue_settings.png)
 
### Drop all packets not addressed to proxy
 
When using this option, all network packets which are not designated for the web-proxy-server will become dropped.
 
### Drop all Microsoft ports
 
This feature can be used to prevent clients on the blue zone from using Microsoft related services like SMB file shares or printing service. All requests to the network ports 135,137,138,139,445 and 1025 will be dropped.
 
 
## Firewall settings
 
This sub-section offers the ability to customize the look and feel of some elements on the firewall rules and creation page.
 
![](/configuration/firewall/en_firewall_options_firewall_wui_settings.png)
 
### Show colors in ruletable
 
When enabling this option coloured borders on all existing rules will be displayed. This feature can provide you a better overview of your ruleset.
 
| Show colors in ruletable = off | Show colors in ruletable = on (default) |
|---|---|
| ![](show_colors_in_ruletable_off.png) | ![](show_colors_in_ruletable_on.png) |
 
 
### Show remarks in ruletable
 
This option is used to hide all created remarks on the firewall rules page.
 
| Show remarks in ruletable = off | Show remarks in ruletable = on |
|---|---|
| ![](show_remarks_in_ruletable_off.png) | ![](show_remarks_in_ruletable_on.png) |
 
### Show empty ruletables
 
The corresponding ruletables are hidden unless at least one rule has been created. When enabling this option the empty tables also get displayed on the firewall rules page.
 
| Show empty ruletables = off (default) | Show empty ruletables = on |
|---|---|
| ![](firewall_show_empty_ruletables_off.png) | ![](firewall_show_empty_ruletables_on.png) |
 
 
### Show all networks on rule creation site
 
Various elements are hidden if they are not used like VPN zones or host/service groups on the page where new firewall rules can be created. This option can be used to display them anyway.
 
| Show all networks on rule creation site = off (default) | Show all networks on rule creation site = on |
|---|---|
| ![](/configuration/firewall/firewall_rules_show_off.png) | ![](/configuration/firewall/firewall_rules_show_on.png) |
 
## Application Layer Gateways
FIXME\\
This section is apparently new, but not documented yet\\
FIXME - This section is apparently new, but not documented yet
 
![](firewall_options_application_layer_gateways.png)
 
[Application Layer Gateway](wp>Application-level_gateway)\\
[Application Layer Gateway](wp>Application-level_gateway)
[Secure use of iptables and connection tracking (conntrack) helpers](https://home.regit.org/netfilter-en/secure-use-of-helpers/)\\
[Secure use of iptables and connection tracking (conntrack) helpers](https://home.regit.org/netfilter-en/secure-use-of-helpers/)
[netfilter](https://netfilter.org)
 
**FTP**\\
**FTP**
[FTP](wp>File_Transfer_Protocol)
[FTP](https://en.wikipedia.org/wiki/File_Transfer_Protocol)
 
 
**H.323**\\
**H.323**
[H.323](wp>H.323)
[H.323](https://en.wikipedia.org/wiki/H.323)
 
 
**IRC**\\
**IRC**
[IRC](wp>Internet_Relay_Chat)
[IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat)
 
 
**PPTP**\\
**PPTP**
[PPTP](wp>Point-to-Point_Tunneling_Protocol)
[PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol)
 
 
**SIP**\\
**SIP**
[SIP](wp>Session_Initiation_Protocol)
[SIP](https://en.wikipedia.org/wiki/Session_Initiation_Protocol)
 
 
**TFTP**\\
**TFTP**
[ TFTP](wp>Trivial_File_Transfer_Protocol)
[ TFTP](https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol)
 
 
## Firewall policy & default behaviour
 
Detailed information about this very important tasks can be found [here](/configuration/firewall/default-policy).