Enhanced Firewall Security

Create a firewall configuration that blocks all inbound access on all ports, except for traffic from devices within a specific IP address or subnet range access on port 80, and also block all outbound traffic on all ports, allowing only specific traffic over a specific port.

Com.X GUI access

GUI access is facilitated via HTTP on the default HTTP port, 80. A rule should be configured to allow access at port 80.

1. Log into Com.X GUI

2. Select the Network tab.

3. Under Network, select Firewall page

4. Select Options and then Rule Wizard ( see screen shot below)

5. Select Inbound access.

6. Enter the Source IP Address, This IP address or range of IP addresses limits which machines on the internet can make use of the rule.

7.Enter the Source start port, The port to open for inbound access, this will be 80.

8. Enter the Protocol , The transport protocol to be used on this route. (Select between TCP and UDP)

9. Enter the Log Level, this is Optional log level in system log for connections

10. Enter a Description, A unique name or description to aid in identifying this route.

11. Select Accept, and Review Apply.

The rule configured above will allow access on port 80 of the public IP address of the Com.X interface (and any interface set to be in the “Internet” zone) to IP address 41.135.83.24.

11. Place network ports into the internet zone, by right clicking on each network interface, then selecting edit, and change Firewall zone to in internet (see screen shot below)

12. When configuring inbound access rules for each interface subnet, ie. eth0, eth1, etc, then repeat the above process.

Com.X SSH terminal access

Ssh terminal access is provided on port 22 by default. As such, access to port 22 needs to be configured through the firewall.

1. Configure an inbound access route to allow specific IP address or subnet range access on port 22, by repeating the above process.

2. Instead of the Source start port being 80 as above, it will be 22 for SSH access.

The rule configured above will allow SSH access on port 22 of the public IP address of the Com.X interface (and any interface set to be in the “Internet” zone) to IP address 41.135.83.24.

3. Since ssh access defaults to port 22, you would not need to include a port in the “ssh comma@<com.X-IP>” command

Inbound access for each interface subnet

1. Configure an Inbound access route for each interface subnet, ie. eth0, eth1, etc , to allow specific IP ranges access on a specific port.

2. Configure inbound access rules for each interface subnet, ie. eth0, eth1, etc, then repeat the above process.

3. When entering the Source IP address ensure that 0/24 is at the end of IP address as below. ( which allows inbound access for IP addresses between the range 192.168.101.0 to 192.168.101.255 for example)

The rule configured above will allow HTTP access on port 80 of the public IP address of the Com.X interface ( in this case eth1 has an IP address of 192.168.101.1 and is set to be in the "Internet" zone) to allow any devices in the 192.168.101.X subnet to communicate via the selected port

If configuring a network interface to serve as a DHCP server to allow SIP extensions to be registered, then in conjunction with configuring the above inbound access rule, a similar inbound access rule needs to be configured with only the Source start port changing to 5060 to allow SIP traffic access over port 5060.

Allowing Outbound access for Wanderweb

Once the above has been configured, you can create an advance rule that will allow an Outbound access for Wanderweb.net on port 443

1. Select the Network tab.

2. Under Network, select Firewall page.

3. Select Options and then Rule wizard

4. Select Advanced ( See screenshot below for Advanced window)

5. Keep the Rule type and the Source zone as it is.

6. Enter the Destination zone as the Internet.

7. Enter the Source start port as 5984

8. Enter the Source IP Address, only if communicating with a particular IP Address.

9. Enter the Protocol as TCP, The transport protocol to be used on this route.

10. Enter the Log Level, this is Optional log level in system log for connections

11. Enter a Description, A unique name or description to aid in identifying this route.

12. Select Accept, and then Review Apply

The rule configured above will allow the Com.X to initiate communication with Wanderweb.net over the internet on port 5984.

13. Repeat the above process, and configure an Advanced rule that will also allow Wanderweb outbound access on port 5984 (see screenshot below).

The rule configured above will allow the Com.X to interact with Wanderweb.net over the internet on port 443.

To allow complete Outbound access to Wanderweb and its features, the following Advance rules below need to be configured, in conjunction with the above configured advance rule.

14. Access for the DNS server is required in order to navigate to wanderweb.net using the source IP of the DNS server (In this case 8.8.8.8 is the DNS server). An inbound access rule is created with the standard port of 8.8.8.8 being 53 and tcp being the protocol.

15. The DSN server needs outbound access and therefore we create an Advanced rule to facilitate 8.8.8.8 with a Source start port of 53 where the destination IP address is 8.8.8.8.

16. Repeat the above process, and configure an Advance rule that will allow the TURN server outbound access between port 49152 and 65535 with a Protocol of UDP (see screenshot below)

17. Repeat the above process, and configure an Advance rule that will allow the STUN server outbound access between port 3478 and 3479 with a Protocol of UDP (see screenshot below).

Then change the policy for traffic from the Com.X zone to the internet zone to drop or refuse traffic, this will then only allow Outbound access through the configured advance rules above.

18. Under Policies, right click on the first heading Com.X zone to Internet zone(see screenshot below).

19. Select edit, and change the Policy from Accept to either Drop or Reject (see screenshot below).

20. Select Accept and Review Apply the changes.