39. Chapter - Full Rulesets

Full firewall rulesets allow full functionality of the firewall, and therefore can be more complicated to configure than the firewall profiles.

39.1. Components

To avoid overloading the firewall configuration interface with IP addresses and port numbers, we combine IPs, networks etc. into network groups or protocols, and port numbers and port ranges into services. These are compiled centrally and can then be used in all firewall rules. In addition to this, the most important services are already pre-defined in the basic configuration.

39.1.1. Services

Under "Network > Firewall > Services", protocols and port numbers can be combined under a service name. This makes them usable in firewall rules.

A service consists of freely entered ports and protocols (Custom service) as well as of other, pre-configured services (Used services). This means that services can be composed of multiple other services. This is particularly useful if a protocol consists of multiple subprotocols. A good example of this is FTP, which consists of the FTP control connection and the FTP data connection.

With the protocols TCP and UDP, both source and target ports can be specified. Both are not limited to individual ports, but can also configure complete port ranges (e.g. target ports 5000 to 5050 for remote maintenance of the Intra2net support).


Please note that with TCP, only the target ports are typically defined and the source port can be freely selected by the client. Therefore, normally only the target port is entered in the Intra2net system.

39.1.2. Netgroups

Under "Network > Firewall > Netgroups" IPs, IP networks and IP ranges can be combined as a netgroup. This makes them usable in firewall rules. All clients, network areas, routings etc. which you have entered in the Intra2net system in the corresponding menus, are directly available as network objects in the firewall and do not have to be configured as a netgroup first.

As with services, a netgroup can contain other netgroups.

Individual IPs are entered under Custom Client/subnet with the netmask If you would like to configure a network range that can also be represented as an IP network (e.g. IPs from to, it is recommended to enter this as an IP network with the appropriate netmask (in the example IP with netmask This leads internally to more streamlined and faster firewall rules.

39.1.3. Automatic Objects

The Intra2net system combines known objects into automatic objects. Some of these objects also depend on the current state, e.g. the current Internet IP. These can be used directly in firewall rules and do not require any further configuration.

List of Automatic Objects:

Clients and rangesAll clients and ranges defined in the Intra2net system. For DHCP ranges, this only affects the assigned IPs.
DHCP RangesAll DHCP ranges (including unoccupied IPs).
Remote access portsIP addresses configured for remote access.
Remote VPN networksThe networks behind the currently active VPN peers. For "LAN to Host" connections, this is the VPN peer station itself.
IP of the system in the LANIP addresses of the Intra2net system in all its networks of the type "LAN with NAT" and "LAN without NAT".
All Local NetworksAll networks ("LAN with NAT" and "LAN without NAT") and routings.
Broadcast IPs of all local networksBroadcast IPs of all local networks.
Current Internet IPCurrent IP address of the Intra2net system on the Internet. If the system is offline, this condition no longer applies.
InternetEverything outside the local networks and VPNs.