Table of Contents
Advertisement
Firewall menu options
Packet filtering
Accepting incoming echo requests
The Accept echo request checkbox governs how ICMP requests are processed for Internet, DMZ, and Guest
interfaces. Selecting this checkbox enables ICMP requests on all of the interfaces that use the Internet,
DMZ, or Guest firewall class. To selectively enable ICMP requests, the Accept echo request checkbox must
be cleared and an appropriate Input-Accept packet filter rule generated.
If accept echo request is enabled, the corresponding Accept action is processed prior to GUI-configured
packet filter rules, and as such, adding packet filter rules will not have any effect. That is, you cannot
selectively drop ICMP requests with a default of accept; you can only selectively accept ICMP requests with
a default of drop.
There are some advantages to using specific packet filter rules for ICMP requests rather than this checkbox,
as packet filter rules have configurable rate limits, and can also be used to limit the specific
source-addresses from which ICMP requests are allowed. For more information on packet filter rules, see
Packet
filtering.
Configuring administrative services access
From the Firewall menu, click Packet Filtering, and select the Incoming Access tab.
1
Select or clear the checkboxes for the services you want to enable or disable.
2
Caution:
Disallowing all services is not recommended, as this makes future configuration changes impossible
unless your appliance is reset to the factory default settings.
To allow echo requests on Internet interfaces, select the Accept echo request (incoming port)
3
checkbox. The default (recommended) is to disallow echo requests, so your UTM Firewall appliance does
not respond to pings on its own Internet interfaces. Disallowing echo requests may make it more difficult
for external attackers scanning for hosts to discover your appliance. Destination unreachable ICMP
messages are always accepted.
Click Submit.
4
About custom firewall rules
Custom firewall rules allow experts to customize the firewall configuration. The
and
Custom IPv6 Firewall Rules tab
iptables firewall rules. Settings made within the custom firewall tabs take precedence over those configured
in the Packet Filtering and NAT pages and elsewhere within the Management Console. Configuring the
firewall using the Incoming Access and Packet Filtering pages is adequate for most applications. Only
experts on firewalls and iptables should add custom firewall rules.
Note:
McAfee does not provide technical support for custom firewall rules.
Further reading about firewall, NAT, and packet mangling for Linux can be found at
http://www.netfilter.org/documentation.
Further reading about iptables is available at http://iptables-tutorial.frozentux.net.
For details on creating temporary custom log rules using iptables, refer to
Custom Firewall Rules tab
This tab provides the ability to manually add custom entries to the IP tables using the iptables command
syntax. The custom rules are executed whenever the status of a network interface changes. You can use
custom rules either exclusively or in addition to built-in rules.
168
McAfee UTM Firewall 4.0.4 Administration Guide
allow firewall experts to view the current firewall rules and add custom
Custom Firewall Rules tab
Creating custom log
rules.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
