EdgeOS Firewall Interface Overview -EdgeRouter

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to the first video in my firewall deep dive series first of all I just want to say don't be I think that some people think firewall and they get intimidated and as you're going to see as we work through this it's not really something to be intimidated about it's kind of like learning another language and once once you learn that I mean you'll become fluent in this you'll understand by looking at the rules what's going on and so real quick let's go ahead and sign in and let's get started sign into our router and then we're going to go over to the firewall NAT tab and then we're gonna go to the firewall policies okay and so what a firewall policy is is it's a set of rules for how we handle traffic on interfaces and it has a default action so with the edge max or the edge router edge OS the firewall policies are applied before s net or source network address translation and after D net or destination network address translation and what we're going to look at in this first video I'm going to try to keep this one short because then when we start when we start creating rules that's when these videos will get a little longer so what I want to do is I want to go over this interface and I'm going to explain to you at face value what is sitting here so you have a button that says add rule set so we can add a rule set and then you have your buttons here that talked about what the the rules are so if it's a drop a default action of drop then it's going to show up here if it's a default action to reject they would show up here if it's a default action of accept it would show up here all is going to show you all of the rule sets now you see here under Namor this says Wayne underscore in and this says Wayne underscore local this right here this could say anything now ubiquity uses this by default so I like to kind of stay with what the manufacturer does when it comes to naming that way if anybody else who is familiar with the the product logs in they can kind of see what's going on or in the name I will use something that is very short and directing to the point as to what does this rule set do so you can see that this rule said and by the way these two rules if you've been watching the videos these were created using the van plus tool and to set up wizard so we have Wayne in and when local so let's open this up and take a look well before we do that so you can see the interfaces that this that this is assigned to as e0 and the direction is n when local is e0 local traffic there are two two rules in each the default action is drop under your action drop-down you've got all of these choices so you can delete this rule set but I will tell you if you try to do this we should get an error let's see okay cannot delete rule set when an still in use so there are rules and it's applied to interfaces so you can't delete it so that's it's actually a nice built-in you know feature to protect us from ourselves we can copy the rule set if we've got some rules in there that we kind of like and we just want to create an exact copy and then modify it to have do something else we can look at the stats on these rules so when we bring this up oh by the way I don't know if you if you know but so when I clicked on stats it brought up this other menu and it's the rule set configuration for weighing in but see how these four in blue and then you have those four same tabs here so edit rule set configuration interfaces and stats are all represented by a tab as well but the copy rule set and delete rule set are not okay so our stats you can see that rule the rule number and you can sort rule number one has add nine hundred and ten thousand four hundred and twelve packets this is how many bytes and the action is except allow establish related so you can see we are passing the majority of our traffic through this rule and if you also remember the way that this is created that the the default action is to drop and allow establish related is to accept so you can see most of the packets will all the packets so far that we're seeing have all hit that accept rule alright so over the rules let's let's take a look at this so the firewall the firewall will read these rules in order which is why you see the save rule order button over here when you create different rules you can order the rules differently and then save that rule order you can see this is rule number one and it's checking the description is allow established related source is there's no source specified or destination so it's basically all traffic default action is accept so we can actually we could edit this so there's a menu inside of a menu so you get into the rules so this box is the configuration for the rule set its self okay so we have our rules where we can add our rules then we have the configuration and the name is when N and the description is way into internal our default action is drop once again when you're in edge OS and you see this blue asterisk this is a required field and you can log it then you get over here to the interfaces and this rule set applies to e0 which is my wham interface and the direction is in one more quick thing about the interfaces in the direction so you select your interface but then the direction choices that you have are in out or local so n is going to be inbound packets out would be outbound packets now remember it's all tied to that interface and then local will be local packets on the device and then of course we're back over here to the stats so then when we look at our rules now we can add a new rule or we can edit this so let's we'll edit this one and we'll look at this interface and see exactly what is going on here before we do that notice that it's got the copy rule and the delete rule and if I click on basic so you have those five items here but the copy rule delete rule is not represented by a tab here okay so now we're looking at rural configuration for rule 10 and the description is allow establish related it is enabled with the checkmark the default action ok the default action here is to accept and let's talk a little bit more about these these actions so our default action drop will just block the packets and never say anything back to whatever initiated the request and the packages basically just die they drop if we reject the packets the packets are blocked and an ICMP message is sent back saying that the destination is unreachable and then if we accept then the packets are allowed to come through the firewall so and then logging here is if the packets trigger the default action that we want to log those so and then under protocol you can say all protocols TCP transmission control protocol UDP user Datagram protocol TCP by the way just a little nugget here is connection oriented UDP is not so UDP you'll see a lot of jokes out there memes things like that like I'll tell you UDP joke but I'm afraid you wouldn't get it that's because UDP doesn't care it just fires the packets and if they don't get there they don't get there TCP has a lot of things built into it to ensure the packets get there that they get there in the right order and it's a completely different animal you can do both TCP and UDP choose a protocol by name or enter protocol by number so you could choose for example if you saw the the video that I did on PPTP and the firewall rules to allow that so you could choose GRE by name or you could enter that protocols number 47 it's 47 47 we go to advanced and the state is the connection state of the packet so established will match packets that are part of a two-way connection invalid matches packets that cannot be identified new matches packets creating a new connection and related match packets related to established connections so established invalid new related recent time if you also if you see these eyes with the grey circles you get a little tooltip if you hover your mouse over there so the recent time is the number of seconds to monitor for attempts to connect from the same source in the recent count is the number of times the same source is detected within the recent time duration and this can help block attacks that use continual connection attempts then IPSec is the is Internet Protocol security and it helps secure packet routing and so on this if we don't match on IPSec packets where we're not going to match on those if we match inbound IPSec packets we're going to match packets coming in into the system match inbound non IPSec packets we are going to match non IPSec IPSec packets coming into the device p2p peer-to-peer yeah your BitTorrent your Kazaa your Morpheus all those types of things LimeWire I'm sure everybody's heard of LimeWire um so we can basically ignore those with none or we you know we can do all which will match all peer-to-peer connections or we can choose a peer-to-peer application by name and if we do that you'll see okay so here you get apple-juice edonkey Nutella BitTorrent Direct Connect and Kazaa or you can specify an application and these are triggered through dpi so if you've seen the DPI video you'll know a little bit more about that go back and look at that video if you haven't seen it but you can create custom categories out of traffic and block those applications but at a specified interval your dpi categories automatically get updated by ubiquity so they're always adding things to this so you could select you know top sites adult in the top adult sites probably Playboy comm is in there you know you can match that and you can create rules based on that the next thing we're going to talk about is the source so the address source so this is where is the traffic coming from where is the traffic coming from the source and in address you can if you come over here to the tooltip you can see that you can have one IP address you can have an entire network or you can do a range so that's very handy so if you're going to blow one IP you can see that you just put the IP in the network would have the cider notation or you could actually specify the range by putting the low end of the range a hyphen and then the high end of the range okay so then port you know what's the source port and it's the same thing so that FTP you know you can put a port number in or you can do a range the MAC address is can you supply the MAC address of the source so you can even do this base on Mac instead of IP and you can do address and port at the same time then we look at what an address group is if you've got address groups defined you could select that here or you can specify an interface address now you see the interfaces so over on the dashboard under the interfaces we have addresses tied to these interfaces so you can just select that here you saw that when I created the manual manual dnat rule that I just selected eath zero and it knew that you know since each zero is dynamic whatever address is on there is is what we wanted to use in our NAT rule or you can do an entire interface network so it will then look at that Sider notation and specify the source as that entire network you can create network groups over in the firewall mat groups I do have a firewall mat groups video out there maybe I'll redo that and update it and you can also create port groups so onto destination so now this is where is the traffic going and so you get the exact same options with this as you do the source except this would be the destination so you can do a single address an entire network or range you can also specify a single port by name by number or by port range what's kind of nice is that ubiquity allows you to put the port name in so you don't have to memorize all those but I will tell you in the real world when you're dealing with multiple vendors I highly recommend knowing probably the first or the the most 12 probably 10 or 12 common ports like you know what port is HTTPS you know that's 443 which port is DNS that's 53 which port is HTTP that's 80 you know just some of those kind of common ports I would probably still go ahead and memorize those but it is nifty that they let us just put the name of the port in there and then they do the heavy lifting for us so right here is the same options for that we had on source but it's for destination so you can do groups you can just do interface addresses or entire interface networks the network group and the port group then our last tab for the rule configuration is time so you can actually configure time based rules and it's pretty straightforward so here you would enter days of the month so you can see in there example is the first to 15th and the 22nd and then you could say match all month days except for these so then you could reverse it and match everything but the list here or you can go on weekdays so now you can specify you know Sunday Monday Tuesday Wednesday and then you can also do that where you would do match all weekdays except for these so if you had Monday in there and you said match all weekdays except for these you would match Tuesday through Sunday then you can specify a start date and you can see that there example there is 917 or 2012 you can also specify a start time and it is in 24-hour notation I'm kind of a fan of 24-hour notation I don't know how many people out there use 24-hour then the stop date when do you want this rule to fall off so they started on 917 2012 and they're going to end it on 917 2012 but you could have this run for a day you could have it run for just hours in the same day so if you used a start date and time and that proceeded at least the time would have to precede your stop time it should let you create that rule so and then you there's a little checkbox down here if your network uses UTC you could check that and it would interpret the times and dates as UTC so that's it for the the configuration of this of this rule and I think that's kind of it for just kind of the overview and I think in the next video this video is kind of long kind of one of my longest videos we're going on twenty to twenty twenty twenty two minutes depends on how much editing there is but so the next video will actually look at creating some basic rules and maybe we'll even create some firewall mat groups to put in there but if you liked the video please give a thumbs up this is just the first video in the deep dive of the firewall I hope it made sense to everybody please comment if you've got questions please share please give a thumbs up that thumbs up is really important and of course subscribe if you're not and come back for part two and the deep dive into the edge OS firewall
Info
Channel: Willie Howe
Views: 41,725
Rating: undefined out of 5
Keywords: edgeos firewall interface, edgeos firewall gui, edgemax firewall interface, edgemax firewall gui, edgerouter firewall, edgerouter firewall interface, edgerouter firewall gui, ubiquiti edgerouter configuration, how to firewall edgerouter, edgerouter gui firewall, firewall gui demo, firewall gui overview, ubiquiti networks edgerouter, ubiquiti networks edgeos, edgerouter firewall policy, edgeos firewall policy, edgemax firewall policy, ubiquiti create firewall rules, snat, dnat
Id: WzzGD8e2P7w
Channel Id: undefined
Length: 22min 7sec (1327 seconds)
Published: Sat Jul 09 2016
Related Videos
EdgeOS WAN IN Firewall Rules
Willie Howe
83K
2021 Firewall Review, Feature Comparison and Recommendations
Lawrence Systems
68K
Ubiquiti Routing and Switching Basics - Part 1
Crosstalk Solutions
194K
Firewalls and Network Security - Information Security Lesson #7 of 12
Dr. Daniel Soper
420K
Ubiquiti Routing and Switching Basics - Part 4 - VLANs
Crosstalk Solutions
99K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
pfsense and Rules For IoT Devices with mDNS
Lawrence Systems
74K
EdgeOS Outbound Firewall Rules
Willie Howe
40K
EdgeRouter IoT/Guest Network Isolation
Willie Howe
95K
Firewall Comparison, Which Ones We Use and Why We Use Them: Untangle / pfsense / Ubiquiti
Lawrence Systems
528K
How To Port Forward On An EdgeRouter
Quik Tech Solutions L.L.C
54K
QC Ubiquiti EdgeMAX - UAP with Guest WLAN & VLAN Trunks (VIF)
Ben Pin
44K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Edgerouter Firewall
Toasty Answers
24K
Ubiquiti Routing and Switching Basics - Part 2 - Firewalls
Crosstalk Solutions
74K
EdgeOS - EdgeRouter - Auto Firewall Demo
Willie Howe
53K
The REAL story About the Crash that Killed Concorde! | Air France flight 4590
Mentour Pilot
4.3M
Untangle Firewall Review
Lawrence Systems
83K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.