Table of Contents
Full firewall rulesets allow full functionality of the firewall, and therefore can be more complicated to configure than the firewall profiles.
To avoid overloading the firewall configuration interface with IP addresses and port numbers, we combine IPs, networks etc. into network groups or protocols, and port numbers and port ranges into services. These are compiled centrally and can then be used in all firewall rules. In addition to this, the most important services are already pre-defined in the basic configuration.
Under "Network > Firewall > Services", protocols and port numbers can be combined under a service name. This makes them usable in firewall rules.
A service consists of freely entered ports and protocols ("") as well as of other, pre-configured services (""). This means that services can be composed of multiple other services. This is particularly useful if a protocol consists of multiple subprotocols. A good example of this is FTP, which consists of the FTP control connection and the FTP data connection.
With the protocols TCP and UDP, both source and target ports can be specified. Both are not limited to individual ports, but can also configure complete port ranges (e.g. target ports 5000 to 5050 for remote maintenance of the Intra2net support).
![[Hint]](../images/admon/note.png) | Hint |
|---|---|
Please note that with TCP, only the target ports are typically defined and the source port can be freely selected by the client. Therefore, normally only the target port is entered in the Intra2net system. |
Under "Network > Firewall > Netgroups" IPs, IP networks and IP ranges can be combined as a netgroup. This makes them usable in firewall rules. All clients, network areas, routings etc. which you have entered in the Intra2net system in the corresponding menus, are directly available as network objects in the firewall and do not have to be configured as a netgroup first.
As with services, a netgroup can contain other netgroups.
Individual IPs are entered under "" with the netmask 255.255.255.255. If you would like to configure a network range that can also be represented as an IP network (e.g. IPs from 192.168.1.0 to 192.168.1.255), it is recommended to enter this as an IP network with the appropriate netmask (in the example IP 192.168.1.0 with netmask 255.255.255.0). This leads internally to more streamlined and faster firewall rules.
The Intra2net system combines known objects into automatic objects. Some of these objects also depend on the current state, e.g. the current Internet IP. These can be used directly in firewall rules and do not require any further configuration.
List of Automatic Objects:
| Object | Description |
|---|---|
| Clients and ranges | All clients and ranges defined in the Intra2net system. For DHCP ranges, this only affects the assigned IPs. |
| DHCP Ranges | All DHCP ranges (including unoccupied IPs). |
| Remote access ports | IP addresses configured for remote access. |
| Remote VPN networks | The networks behind the currently active VPN peers. For "LAN to Host" connections, this is the VPN peer station itself. |
| IP of the system in the LAN | IP addresses of the Intra2net system in all its networks of the type "LAN with NAT" and "LAN without NAT". |
| All Local Networks | All networks ("LAN with NAT" and "LAN without NAT") and routings. |
| Broadcast IPs of all local networks | Broadcast IPs of all local networks. |
| Current Internet IP | Current IP address of the Intra2net system on the Internet. If the system is offline, this condition no longer applies. |
| Internet | Everything outside the local networks and VPNs. |