Results 1 to 5 of 5
  1. #1
    Untangler
    Join Date
    Sep 2019
    Location
    Canada
    Posts
    39

    Question Filter (All protocols) vs Firewall (TCP/UDP) ?? + Possible product suggestion

    I read that the [Config/Networking/Filter] rules will process all traffic going through the firewall. This includes the bypassed rules and and all protocols.

    Question 1: Does Untangle process this ahead of the the IPS?

    I read that the Firewall app rule set can only filter tcp/udp traffic.

    Question 2: If this is true, why have the other protocols listed as available options in the firewall rule creation gui?

    Reference: https://wiki.untangle.com/index.php/Filter_Rules

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,961

    Default

    Filter is IPTables, that's the Linux kernel. It sees things both before, and after the UVM does, and anything running therein. The UVM is software running on Linux. Linux must send the stuff into and out of the UVM, as well as run the NICs themselves. So the kernel sees all that traffic on the way in, and the way out.

    So to answer Q1, yes filter happens first. As does bypass rules, port forwarding rules, etc... these are all actions performed by IPTables.

    To answer Q2, the entirety of the UVM only processes UDP and TCP packets. This is done for performance reasons. Therefore, a UVM app, such as the Firewall can also only see TCP or UDP packets, that's why the options there are limited.

    ---- Here comes the why, you did ask... but wall of text ---

    If you've not seen UVM before, that's Untangle Virtual Machine, it's the name of the massive Java app that serves as Untangle's heart. The name is a bit deceptive, because while it's a virtual machine, it's purpose is to run other virtual machines... things we used to refer to as rack servers, then rack applications, and now simply apps. So you could in some ways think of the UVM as a hypervisor.

    So, if you look at your Apps tab in the UI, you'll see Apps, and Service Apps as categories. Apps exist per "rack", now known as policy. Service Apps exist once per server. You can logically consider each individual app a separate server, running within the UVM, which sits on top of the Linux Kernel. That's also why there is no order in terms of app processing. The UVM provides a virtual pipeline that connects all the apps in PARALLEL! They all process the packets at the same time! Which is why Untangle can do all this stuff as quickly as it does, and why Untangle REALLY loves it when you throw more CPU cores at it. A new network session needs a green light from every app the policy determines it's subject to BEFORE it passes the server.

    And IPTables has to get it to Untangle before all that even happens.

    So NIC -> Kernel (IPtables) -> UVM -> Policy -> Apps -> UVM -> Kernel -> NIC

    Clear as mud?
    Last edited by sky-knight; 05-30-2020 at 09:07 AM.
    tangofan and Jim.Alles like this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler
    Join Date
    Sep 2019
    Location
    Canada
    Posts
    39

    Default

    Thank you for that. I think it makes sense to me as it sounds similar to my audio recording software and it's (virtual rack based) plugins within it.

    So would I be wrong in suggesting that the other protocols be removed from the firewall rule creation gui? Additionally maybe put a note in the box stating "for other protocols, please use the kernel based filter?" It is stated in the wiki but I didn't originally feel the need to reference it as the options were there in the firewall app and left me with a false sense of a valid rule. Potentially dangerous and leaves me wondering what other gotchyas are like that.

    fprotocols2.jpg

  4. #4
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,447

    Default

    Wow that is mind-boggling.
    Thanks for the fresh eyes!

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,961

    Default

    Quote Originally Posted by propellherhead333 View Post
    Thank you for that. I think it makes sense to me as it sounds similar to my audio recording software and it's (virtual rack based) plugins within it.

    So would I be wrong in suggesting that the other protocols be removed from the firewall rule creation gui? Additionally maybe put a note in the box stating "for other protocols, please use the kernel based filter?" It is stated in the wiki but I didn't originally feel the need to reference it as the options were there in the firewall app and left me with a false sense of a valid rule. Potentially dangerous and leaves me wondering what other gotchyas are like that.

    fprotocols2.jpg
    I think the firewall has those tick boxes because it uses the same protocol dialog as the filter. But, yeah it is confusing and there should be something done about that.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2