5.2.4. Editing Rule Set Objects

Firewalls and clusters can have one or more of the of the following types of rule sets: access policy, NAT, and routing. A firewall has, by default, one access policy rule set, one NAT rule set, and one routing rule set. However, you can add additional rule sets if you like.

Rule sets are child objects of the a firewall object. They cannot stand alone.

As objects, rule sets have parameters. In Firewall Builder, rule sets have the following parameters:

  • Name: The name of the rule set. If you only have one of each type of rule set, you can leave this at its default.

  • Rule set family: This pull-down menu lets you specify whether policy compiler should treat the rule set as an IPv4 rule set, an IPv6 rule set, or a combined rule set. If set to IPv4, then only IPv4 rules are processed and IPv6 rules are ignored. The opposite is true if you specify an IPv6 rule set. If you select This is combined IPv4 and IPv6 rule set, then the compiler processes both types of rules and places them into the appropriate places in the install script.

  • filter+mangle table or mangle table: These radio buttons let you specify whether the rules apply to the iptables filter table and mangle table, or just to the mangle table. (These radio buttons only appear for access policy rule sets, and only for iptables.) Under most circumstances, the compiler places each rule into the correct table (filter or mangle) automatically. However, some combinations of service objects and actions are ambiguous and can be used in both filter and mangle tables. In cases like these, you can clarify things for the compiler by creating a separate policy rule set to be translated only into the mangle table.

  • Top ruleset: One of your rule sets must be the "top" rule set. The top rule set is the one used by the firewall. Other rule sets of that type are used only if you branch to them using branching logic in the top rule set. (If you don't use branching, then only the rule set tagged as "top" is used.)

  • Comment: A free-form comment field.

Figure 5.17. Rule set options

Rule set options


