Inbound Forwarding Rules controls how incoming requests from external networks are forwarded to internal devices or services.

• To configure which external requests are allowed and where they are directed within the network:

  • Select the Add Rule button.

  • Inbound Interface: This option allows the rule to apply to traffic coming in through the selected interface (such as WAN, LAN, VLAN etc.).

  • Outbound Interface: This setting defines the interface the traffic is forwarded to after entering the network. (such as WAN, LAN, VLAN etc.).

  • Source: This field defines where the inbound traffic originates from.

  • Source Range: Define a specific IP range from which inbound traffic is permitted. For example, if you only want to allow traffic from the IP range 203.0.113.0/24.

  • Destination: This specifies the destination device or network for the incoming traffic.

  • Destination Range: Define a specific IP range to which inbound traffic is permitted. For example, if you only want to allow traffic to the IP range 192.168.20.0/24.

  • Source IP Set: In addition to specifying a source range, you could alternatively define a Source IPset to use a predefined set of allowed IP or MAC addresses.

  • Destination IP Set: In addition to specifying a source range, you could alternatively define a Destination IPset to use a predefined set of allowed IP or MAC addresses.

  • Protocol: This setting allows the rule to apply to traffic using certain protocols (TCP, UDP, etc.). Setting this to Any Protocol means the rule is not restricted to a specific type of traffic, and will accept all protocols.

  • State: This refers to the connection state of the traffic.

    • Any State: The rule applies to all states of traffic, whether it's a new connection, an established one, or related traffic.

    • New: Refers to a new incoming connection that is not part of any existing session. This is the initial state for a new traffic flow or session.

    • Established: Represents traffic that is part of an already established connection. It indicates that the connection has already been acknowledged by both the source and destination.

    • Related: Refers to traffic that is related to an existing, established connection, but is a separate data stream. For example, an FTP data connection is related to an existing FTP control connection.

    • Invalid: Represents packets that do not correspond to any known connection or session. These packets could be malformed or part of a failed connection attempt and are typically dropped or blocked.

    • Untracked: Refers to traffic that is not being tracked by the firewall’s connection tracking system. This traffic is allowed or blocked without regard to the state of the connection.

  • Action: The action defines how the rule will handle the traffic.

    • Accept: Allows the packet to pass through the firewall and continue to its destination. This action permits the traffic based on the firewall rule's conditions.

    • Reject: Blocks the packet and sends an error response back to the sender, notifying that the connection or request was rejected. This is useful for providing feedback that the traffic was intentionally blocked.

    • Drop: Silently discards the packet without sending any response to the sender. This action makes it seem like the traffic is being ignored or lost, which can be useful for reducing unwanted attempts or attacks.

    • Return: Stops processing the current rule chain and returns control to a higher-level chain. It effectively passes the decision-making process back to the parent rule or a default action, depending on how the firewall is structured. For example, you might have a custom chain for handling traffic from a specific IP range or port. If none of the conditions in this custom chain are met, you can use Return to go back to the general firewall rules, ensuring that packets not matching the custom conditions are processed by the default chain.

  • Enabled / Disabled: This field allows you to enable or disable the rule. When enabled, the rule will be active and will enforce the specified traffic control. If disabled, the rule will not be applied.

  • Description: Use this field to provide a brief label or explanation for the rule. For example: Allow HTTPS traffic from IP range 203.0.113.0/24 to an internal web server.

Forwarding Outbound Rules controls traffic leaving your internal network and heading towards an external network (e.g., web requests, email traffic, etc.).

• Controlling outbound traffic helps prevent data leaks, ensure proper usage, and block access to unauthorised or harmful external destinations. To configure an outbound rule:

  • Select the Add Rule button.

  • Inbound Interface: This option allows the rule to apply to traffic originating for the selected interface (usually LAN, VLAN).

  • Outbound Interface: This setting defines the interface the traffic is destined to. (usually WAN).

  • Source Device: Select either MAC Address, Identity, Policies. This would normally be left on the default Any Device option.

  • Source: This field defines where the inbound traffic originates from.

  • Source Range: Define a specific IP range from which outbound traffic is permitted or blocked. For example, if you only want to allow or block traffic from the IP range 192.168.1.0/24.

  • Destination: This specifies the destination device or network for the outgoing traffic.

  • Destination Range: Define a specific IP range to which inbound traffic is permitted. For example, leave this option on the default setting Any Destination.

  • Source IP Set: In addition to specifying a source range, you could alternatively define a Source IPset to use a predefined set of allowed IP or MAC addresses.

  • Destination IP Set: In addition to specifying a source range, you could alternatively define a Destination IPset to use a predefined set of allowed IP or MAC addresses.

  • Protocol: This setting allows the rule to apply to traffic using certain protocols (TCP, UDP, etc.). Setting this to Any Protocol means the rule is not restricted to a specific type of traffic, and will filter all protocols.

  • State: This refers to the connection state of the traffic.

    • Any State: The rule applies to all states of traffic, whether it's a new connection, an established one, or related traffic.

    • New: Refers to a new incoming connection that is not part of any existing session. This is the initial state for a new traffic flow or session.

    • Established: Represents traffic that is part of an already established connection. It indicates that the connection has already been acknowledged by both the source and destination.

    • Related: Refers to traffic that is related to an existing, established connection, but is a separate data stream. For example, an FTP data connection is related to an existing FTP control connection.

    • Invalid: Represents packets that do not correspond to any known connection or session. These packets could be malformed or part of a failed connection attempt and are typically dropped or blocked.

    • Untracked: Refers to traffic that is not being tracked by the firewall’s connection tracking system. This traffic is allowed or blocked without regard to the state of the connection.

  • Action: The action defines how the rule will handle the traffic.

    • Accept: Allows the packet to pass through the firewall and continue to its destination. This action permits the traffic based on the firewall rule's conditions.

    • Reject: Blocks the packet and sends an error response back to the sender, notifying that the connection or request was rejected. This is useful for providing feedback that the traffic was intentionally blocked.

    • Drop: Silently discards the packet without sending any response to the sender. This action makes it seem like the traffic is being ignored or lost, which can be useful for reducing unwanted attempts or attacks.

    • Return: Stops processing the current rule chain and returns control to a higher-level chain. It effectively passes the decision-making process back to the parent rule or a default action, depending on how the firewall is structured. For example, you might have a custom chain for handling traffic from a specific IP range or port. If none of the conditions in this custom chain are met, you can use Return to go back to the general firewall rules, ensuring that packets not matching the custom conditions are processed by the default chain.

  • Enabled / Disabled: This field allows you to enable or disable the rule. When enabled, the rule will be active and will enforce the specified traffic control. If disabled, the rule will not be applied.

  • Description: Use this field to provide a brief label or explanation for the rule. For example: Block all traffic from IP range 192.168.1.0/24 to internet.

Important: When configuring outbound firewall block rules to restrict all outbound traffic, it is crucial to ensure that specific exceptions are made for essential services. Blocking all outbound traffic will prevent users from accessing the internet.
To maintain web access while enforcing a comprehensive block, you should create additional port-specific rules that allow traffic.

Port Forward Rules direct incoming traffic from a specific external port to a designated internal IP address and port on a private network. This allows external devices to communicate with specific services hosted on devices within the network, such as web or application servers.

Port forwarding exposes internal services directly to the internet, increasing the attack surface and the risk of exploitation by hackers.

Organisations should opt for more secure methods such as VPNs (Virtual Private Networks), which provide secure access without exposing internal services directly to the internet. Overall, while port forwarding can be necessary for certain applications, it should be done with caution and accompanied by robust security measures.

• To configure a new port forwarding rule:

  • Select the Add Rule button.

  • Inbound Interface: This option allows the rule to apply to traffic coming in through the selected interface (usually WAN).

  • Source: This field defines where the inbound traffic originates from.

  • Source Range: Define a specific IP range from which inbound traffic is permitted. For example, if you only want to allow traffic from the IP range 203.0.113.0/24.

  • Destination: This specifies the destination device or network for the incoming traffic. This would normally be left on the default Any Destination option.

  • Destination Range: Define a specific IP range to which inbound traffic is permitted. For example, leave this option on the default setting Any Destination.

  • Source IP Set: In addition to specifying a source range, you could alternatively define a Source IPset to use a predefined set of allowed IP or MAC addresses. This would normally be left on the default Any.

  • Destination IP Set: In addition to specifying a source range, you could alternatively define a Destination IPset to use a predefined set of allowed IP or MAC addresses. This would normally be left on the default Any.

  • Protocol: This setting allows the rule to apply to traffic using certain protocols (TCP, UDP, etc.). Setting this to Any Protocol means the rule is not restricted to a specific type of traffic, and will filter all protocols.

  • Source Port: The originating port on the external device that is associated with the inbound traffic. This would normally be left on the default Any Source Port.

  • Destination Port: Refers to the specific port number on the server or device that is receiving the incoming traffic.

    • Single Port: Specify the port number that will be forwarded (e.g. 443)

    • Multi Port: Specify the port numbers that will be forwarded separated by comma (e.g. 21,80,443)

  • State: This refers to the connection state of the traffic.

    • Any State: The rule applies to all states of traffic, whether it's a new connection, an established one, or related traffic.

    • New: Refers to a new incoming connection that is not part of any existing session. This is the initial state for a new traffic flow or session. This is the default option.

    • Established: Represents traffic that is part of an already established connection. It indicates that the connection has already been acknowledged by both the source and destination.

    • Related: Refers to traffic that is related to an existing, established connection, but is a separate data stream. For example, an FTP data connection is related to an existing FTP control connection.

    • Invalid: Represents packets that do not correspond to any known connection or session. These packets could be malformed or part of a failed connection attempt and are typically dropped or blocked.

    • Untracked: Refers to traffic that is not being tracked by the firewall’s connection tracking system. This traffic is allowed or blocked without regard to the state of the connection.

  • Action: The action defines how the rule will handle the traffic.

    • Accept: Allows the packet to pass through the firewall and continue to its destination. This action permits the traffic based on the firewall rule's conditions.

    • Return: Stops processing the current rule chain and returns control to a higher-level chain. It effectively passes the decision-making process back to the parent rule or a default action, depending on how the firewall is structured. For example, you might have a custom chain for handling traffic from a specific IP range or port. If none of the conditions in this custom chain are met, you can use Return to go back to the general firewall rules, ensuring that packets not matching the custom conditions are processed by the default chain.

    • DNAT: Redirects incoming traffic from an external source to an internal server or device. Select this option when configuring port forwarding.

  • Target Address: The IP address of the internal server or device to which ports are forwarded i.e. 192.168.1.240. If Single Port was selected earlier, enter it here again i.e. 192.168.1.240:443. If Multi Port was selected instead, leave this field blank.

  • Enabled / Disabled: This field allows you to enable or disable the rule. When enabled, the rule will be active and will enforce the specified traffic control. If disabled, the rule will not be applied.

  • Hammer Protection: A security feature designed to prevent or mitigate brute-force attacks and denial-of-service (DoS) attacks. It involves implementing rate limiting or blocking mechanisms to protect against repeated attempts to access a resource, such as a login page or a network service. Specify connection limits by number of connections in amount of time. The iSield uses these thresholds for the number of allowed connection attempts from a remote host within a specific time frame. Exceeding this limit results in blocking the remote host for the same amount of time.

  • Enabled / Disabled: This field allows you to enable or disable the rule.

  • Description: Use this field to provide a brief label or explanation for the rule. For example: Forward traffic from IP range 203.0.113.0/24 to internal web server.

The networking has the option to allow traffic to traverse from one VLAN to another.

In the configuration below, VLAN 2 traffic can reach VLAN 50, but cannot reach VLAN 99. VLAN 50 can reach VLAN 2 and VLAN 99, and lastly, VLAN 99 cannot reach VLAN 2 but can traverse to VLAN 50.

This section of the configuration gives the network administrator block access to the iShield depending on the location, the iShield determines the user's location by checking the user's internet IP address. As seen below, users coming from the countries in RED will be blocked and only those in GREEN will be allowed.

To add a country(s) to the Block list, the administrator simply needs to hover over the respective country and click on it, then click on Save changes, and lastly, reload the unit for the changes to take effect.