Inbound Forwarding Rules controls how incoming requests from external networks are forwarded to internal devices or services.

• To configure which external requests are allowed and where they are directed within the network:

  • Select the Add Rule button.

  • Inbound Interface: This option allows the rule to apply to traffic coming in through the selected interface (such as WAN, LAN, VLAN etc.).

  • Outbound Interface: This setting defines the interface the traffic is forwarded to after entering the network. (such as WAN, LAN, VLAN etc.).

  • Source: This field defines where the inbound traffic originates from.

  • Source Range: Define a specific IP range from which inbound traffic is permitted. For example, if you only want to allow traffic from the IP range 203.0.113.0/24.

  • Destination: This specifies the destination device or network for the incoming traffic.

  • Destination Range: Define a specific IP range to which inbound traffic is permitted. For example, if you only want to allow traffic to the IP range 192.168.20.0/24.

  • Source IP Set: In addition to specifying a source range, you could alternatively define a Source IPset to use a predefined set of allowed IP or MAC addresses.

  • Destination IP Set: In addition to specifying a source range, you could alternatively define a Destination IPset to use a predefined set of allowed IP or MAC addresses.

  • Protocol: This setting allows the rule to apply to traffic using certain protocols (TCP, UDP, etc.). Setting this to Any Protocol means the rule is not restricted to a specific type of traffic, and will accept all protocols.

  • State: This refers to the connection state of the traffic.

    • Any State: The rule applies to all states of traffic, whether it's a new connection, an established one, or related traffic.

    • New: Refers to a new incoming connection that is not part of any existing session. This is the initial state for a new traffic flow or session.

    • Established: Represents traffic that is part of an already established connection. It indicates that the connection has already been acknowledged by both the source and destination.

    • Related: Refers to traffic that is related to an existing, established connection, but is a separate data stream. For example, an FTP data connection is related to an existing FTP control connection.

    • Invalid: Represents packets that do not correspond to any known connection or session. These packets could be malformed or part of a failed connection attempt and are typically dropped or blocked.

    • Untracked: Refers to traffic that is not being tracked by the firewall’s connection tracking system. This traffic is allowed or blocked without regard to the state of the connection.

  • Action: The action defines how the rule will handle the traffic.

    • Accept: Allows the packet to pass through the firewall and continue to its destination. This action permits the traffic based on the firewall rule's conditions.

    • Reject: Blocks the packet and sends an error response back to the sender, notifying that the connection or request was rejected. This is useful for providing feedback that the traffic was intentionally blocked.

    • Drop: Silently discards the packet without sending any response to the sender. This action makes it seem like the traffic is being ignored or lost, which can be useful for reducing unwanted attempts or attacks.

    • Return: Stops processing the current rule chain and returns control to a higher-level chain. It effectively passes the decision-making process back to the parent rule or a default action, depending on how the firewall is structured. For example, you might have a custom chain for handling traffic from a specific IP range or port. If none of the conditions in this custom chain are met, you can use Return to go back to the general firewall rules, ensuring that packets not matching the custom conditions are processed by the default chain.

  • Enabled / Disabled: This field allows you to enable or disable the rule. When enabled, the rule will be active and will enforce the specified traffic control. If disabled, the rule will not be applied.

  • Description: Use this field to provide a brief label or explanation for the rule. For example: Allow HTTPS traffic from IP range 203.0.113.0/24 to an internal web server.

Forwarding Outbound Rules controls traffic leaving your internal network and heading towards an external network (e.g., web requests, email traffic, etc.).

• Controlling outbound traffic helps prevent data leaks, ensure proper usage, and block access to unauthorised or harmful external destinations. To configure an outbound rule:

  • Select the Add Rule button.

  • Inbound Interface: This option allows the rule to apply to traffic originating for the selected interface (usually LAN, VLAN).

  • Outbound Interface: This setting defines the interface the traffic is destined to. (usually WAN).

  • Source Device: Select either MAC Address, Identity, Policies. This would normally be left on the default Any Device option.

  • Source: This field defines where the inbound traffic originates from.

  • Source Range: Define a specific IP range from which outbound traffic is permitted or blocked. For example, if you only want to allow or block traffic from the IP range 192.168.1.0/24.

  • Destination: This specifies the destination device or network for the outgoing traffic.

  • Destination Range: Define a specific IP range to which inbound traffic is permitted. For example, leave this option on the default setting Any Destination.

  • Source IP Set: In addition to specifying a source range, you could alternatively define a Source IPset to use a predefined set of allowed IP or MAC addresses.

  • Destination IP Set: In addition to specifying a source range, you could alternatively define a Destination IPset to use a predefined set of allowed IP or MAC addresses.

  • Protocol: This setting allows the rule to apply to traffic using certain protocols (TCP, UDP, etc.). Setting this to Any Protocol means the rule is not restricted to a specific type of traffic, and will filter all protocols.

  • State: This refers to the connection state of the traffic.

    • Any State: The rule applies to all states of traffic, whether it's a new connection, an established one, or related traffic.

    • New: Refers to a new incoming connection that is not part of any existing session. This is the initial state for a new traffic flow or session.

    • Established: Represents traffic that is part of an already established connection. It indicates that the connection has already been acknowledged by both the source and destination.

    • Related: Refers to traffic that is related to an existing, established connection, but is a separate data stream. For example, an FTP data connection is related to an existing FTP control connection.

    • Invalid: Represents packets that do not correspond to any known connection or session. These packets could be malformed or part of a failed connection attempt and are typically dropped or blocked.

    • Untracked: Refers to traffic that is not being tracked by the firewall’s connection tracking system. This traffic is allowed or blocked without regard to the state of the connection.

  • Action: The action defines how the rule will handle the traffic.

    • Accept: Allows the packet to pass through the firewall and continue to its destination. This action permits the traffic based on the firewall rule's conditions.

    • Reject: Blocks the packet and sends an error response back to the sender, notifying that the connection or request was rejected. This is useful for providing feedback that the traffic was intentionally blocked.

    • Drop: Silently discards the packet without sending any response to the sender. This action makes it seem like the traffic is being ignored or lost, which can be useful for reducing unwanted attempts or attacks.

    • Return: Stops processing the current rule chain and returns control to a higher-level chain. It effectively passes the decision-making process back to the parent rule or a default action, depending on how the firewall is structured. For example, you might have a custom chain for handling traffic from a specific IP range or port. If none of the conditions in this custom chain are met, you can use Return to go back to the general firewall rules, ensuring that packets not matching the custom conditions are processed by the default chain.

  • Enabled / Disabled: This field allows you to enable or disable the rule. When enabled, the rule will be active and will enforce the specified traffic control. If disabled, the rule will not be applied.

  • Description: Use this field to provide a brief label or explanation for the rule. For example: Block all traffic from IP range 192.168.1.0/24 to internet.

Important: When configuring outbound firewall block rules to restrict all outbound traffic, it is crucial to ensure that specific exceptions are made for essential services. Blocking all outbound traffic will prevent users from accessing the internet.
To maintain web access while enforcing a comprehensive block, you should create additional port-specific rules that allow traffic.

Port Forward Rules direct incoming traffic from a specific external port to a designated internal IP address and port on a private network. This allows external devices to communicate with specific services hosted on devices within the network, such as web or application servers.

Port forwarding exposes internal services directly to the internet, increasing the attack surface and the risk of exploitation by hackers.

Organisations should opt for more secure methods such as VPNs (Virtual Private Networks), which provide secure access without exposing internal services directly to the internet. Overall, while port forwarding can be necessary for certain applications, it should be done with caution and accompanied by robust security measures.

• To configure a new port forwarding rule:

  • Select the Add Rule button.

  • Inbound Interface: This option allows the rule to apply to traffic coming in through the selected interface (usually WAN).

  • Source: This field defines where the inbound traffic originates from.

  • Source Range: Define a specific IP range from which inbound traffic is permitted. For example, if you only want to allow traffic from the IP range 203.0.113.0/24.

  • Destination: This specifies the destination device or network for the incoming traffic. This would normally be left on the default Any Destination option.

  • Destination Range: Define a specific IP range to which inbound traffic is permitted. For example, leave this option on the default setting Any Destination.

  • Source IP Set: In addition to specifying a source range, you could alternatively define a Source IPset to use a predefined set of allowed IP or MAC addresses. This would normally be left on the default Any.

  • Destination IP Set: In addition to specifying a source range, you could alternatively define a Destination IPset to use a predefined set of allowed IP or MAC addresses. This would normally be left on the default Any.

  • Protocol: This setting allows the rule to apply to traffic using certain protocols (TCP, UDP, etc.). Setting this to Any Protocol means the rule is not restricted to a specific type of traffic, and will filter all protocols.

  • Source Port: The originating port on the external device that is associated with the inbound traffic. This would normally be left on the default Any Source Port.

  • Destination Port: Refers to the specific port number on the server or device that is receiving the incoming traffic.

    • Single Port: Specify the port number that will be forwarded (e.g. 443)

    • Multi Port: Specify the port numbers that will be forwarded separated by comma (e.g. 21,80,443)

  • State: This refers to the connection state of the traffic.

    • Any State: The rule applies to all states of traffic, whether it's a new connection, an established one, or related traffic.

    • New: Refers to a new incoming connection that is not part of any existing session. This is the initial state for a new traffic flow or session. This is the default option.

    • Established: Represents traffic that is part of an already established connection. It indicates that the connection has already been acknowledged by both the source and destination.

    • Related: Refers to traffic that is related to an existing, established connection, but is a separate data stream. For example, an FTP data connection is related to an existing FTP control connection.

    • Invalid: Represents packets that do not correspond to any known connection or session. These packets could be malformed or part of a failed connection attempt and are typically dropped or blocked.

    • Untracked: Refers to traffic that is not being tracked by the firewall’s connection tracking system. This traffic is allowed or blocked without regard to the state of the connection.

  • Action: The action defines how the rule will handle the traffic.

    • Accept: Allows the packet to pass through the firewall and continue to its destination. This action permits the traffic based on the firewall rule's conditions.

    • Return: Stops processing the current rule chain and returns control to a higher-level chain. It effectively passes the decision-making process back to the parent rule or a default action, depending on how the firewall is structured. For example, you might have a custom chain for handling traffic from a specific IP range or port. If none of the conditions in this custom chain are met, you can use Return to go back to the general firewall rules, ensuring that packets not matching the custom conditions are processed by the default chain.

    • DNAT: Redirects incoming traffic from an external source to an internal server or device. Select this option when configuring port forwarding.

  • Target Address: The IP address of the internal server or device to which ports are forwarded i.e. 192.168.1.240. If Single Port was selected earlier, enter it here again i.e. 192.168.1.240:443. If Multi Port was selected instead, leave this field blank.

  • Enabled / Disabled: This field allows you to enable or disable the rule. When enabled, the rule will be active and will enforce the specified traffic control. If disabled, the rule will not be applied.

  • Hammer Protection: A security feature designed to prevent or mitigate brute-force attacks and denial-of-service (DoS) attacks. It involves implementing rate limiting or blocking mechanisms to protect against repeated attempts to access a resource, such as a login page or a network service. Specify connection limits by number of connections in amount of time. The iSield uses these thresholds for the number of allowed connection attempts from a remote host within a specific time frame. Exceeding this limit results in blocking the remote host for the same amount of time.

  • Enabled / Disabled: This field allows you to enable or disable the rule.

  • Description: Use this field to provide a brief label or explanation for the rule. For example: Forward traffic from IP range 203.0.113.0/24 to internal web server.

Inter-VLAN rules help isolate sensitive data by restricting access between VLANs, ensuring that only authorised users or devices can communicate across different segments of the network.

Enable or disable access between various VLANs by toggling the buttons on or off as required.

Some scenarios may require one-way traffic between specific hosts located on different VLANs. As an example, workstations on vlan10 might require access to a web server for a intranet service located on vlan20, while no devices from either VLAN should be able to communicate with one another. For these scenarios, proceed with the below steps:

• • Select the Add Rule button.

  • Inbound Interface: This option allows the rule to apply to traffic originating from the selected interface (e.g. vlan10).

  • Outbound Interface: This setting defines the interface the traffic is destined to. (e.g. vlan20).

  • Source Device: Select either MAC Address, Identitiy, Policies. This would normally be left on the default Any Device option.

  • Source: This field defines where the inbound traffic originates from.

  • Source Range: Define a specific IP range from which outbound traffic is permitted or blocked. For example, if you only want to allow or block traffic from the VLAN IP range 192.168.10.0/24.

  • Destination: This specifies the destination device or network for the outgoing traffic.

  • Destination Range: Define a specific IP range to which inbound traffic is permitted. For example, VLAN host IP address 192.168.20.240/32.

  • Source IP Set: In addition to specifying a source range, you could alternatively define a Source IPset to use a predefined set of allowed IP or MAC addresses.

  • Destination IP Set: In addition to specifying a source range, you could alternatively define a Destination IPset to use a predefined set of allowed IP or MAC addresses.

  • Protocol: This setting allows the rule to apply to traffic using certain protocols (TCP, UDP, etc.). Setting this to Any Protocol means the rule is not restricted to a specific type of traffic, and will filter all protocols.

  • State: This refers to the connection state of the traffic.

    • Any State: The rule applies to all states of traffic, whether it's a new connection, an established one, or related traffic.

    • New: Refers to a new incoming connection that is not part of any existing session. This is usually the preferred option.

    • Established: Represents traffic that is part of an already established connection. It indicates that the connection has already been acknowledged by both the source and destination.

    • Related: Refers to traffic that is related to an existing, established connection, but is a separate data stream. For example, an FTP data connection is related to an existing FTP control connection.

    • Invalid: Represents packets that do not correspond to any known connection or session. These packets could be malformed or part of a failed connection attempt and are typically dropped or blocked.

    • Untracked: Refers to traffic that is not being tracked by the firewall’s connection tracking system. This traffic is allowed or blocked without regard to the state of the connection.

  • Action: The action defines how the rule will handle the traffic.

    • Accept: Allows the packet to pass through the firewall and continue to its destination. This action permits the traffic based on the firewall rule's conditions.

    • Reject: Blocks the packet and sends an error response back to the sender, notifying that the connection or request was rejected. This is useful for providing feedback that the traffic was intentionally blocked.

    • Drop: Silently discards the packet without sending any response to the sender. This action makes it seem like the traffic is being ignored or lost, which can be useful for reducing unwanted attempts or attacks.

    • Return: Stops processing the current rule chain and returns control to a higher-level chain. It effectively passes the decision-making process back to the parent rule or a default action, depending on how the firewall is structured. For example, you might have a custom chain for handling traffic from a specific IP range or port. If none of the conditions in this custom chain are met, you can use Return to go back to the general firewall rules, ensuring that packets not matching the custom conditions are processed by the default chain.

  • Enabled / Disabled: This field allows you to enable or disable the rule. When enabled, the rule will be active and will enforce the specified traffic control. If disabled, the rule will not be applied.

  • Description: Use this field to provide a brief label or explanation for the rule. For example: Allow all traffic from vlan10 192.168.10.0/24 to vlan20 www server.

GeoBlocking is a network security technique that restricts or allows access to resources based on the geographic location of the user’s IP address. This method is commonly used by organisations to control the availability of their services or content depending on the user's region.

• • Simply click on the available countries shown on the world map to block or unblock traffic to/from the selected country.

  • Alternatively, select the Add Country button to select a country from the list.

• Geoblocking exclusions: A supplier located in a restricted country needs to access the e-commerce platform to manage inventory or fulfill orders. By implementing geoblocking exclusions for specific IP addresses associated with that supplier, the company can maintain security while still facilitating necessary business operations.

  • Select the Add Exclusion button.

  • IP Address/CIDR: the IP address to be excluded i.e. 203.0.113.0/24

  • Description: Use this field to provide a brief label or explanation for the rule.

• Block TOR network nodes: Prevent access to the TOR network, which is a decentralised network designed to anonymise internet traffic. Block TOR to deter users from engaging in illicit activities, such as accessing illegal content, conducting fraud, or bypassing security measures.

Grouping IP or MAC addresses into sets simplifies the configuration of firewall rules. Instead of specifying individual addresses, you can refer to a set, making it easier to manage complex rules.

• • Select the Add IPSet button.

  • Name: Provide a name for the set.

  • Type: Select either IPv4 or MAC.

  • Description: Use this field to provide a brief label or explanation for the rule.

  • Select the Add Rule button.

  • Enter the IP range or MAC address based on your selection.

  • Provide an optional description if required.

  • Select the Create IPSet button to complete adding the new set.