The NetManager includes a full kernel-level firewall offering extremely high security. The firewall controls both access to the NetManager services and traffic passing through the NetManager if used as a gateway. The firewall is also responsible for:
Click here for details on configuring the NetManager firewall.
The firewall can run in 3 modes:
In this mode, there is no filtering at all. It can be useful for testing whether a connectivity problem is firewall-related, but general this mode should never be used.
Filter inward traffic
This is the default setting. Internal networks (or, more explicitly, network ranges configured as Trusted) will be able to send traffic to the outside without any filtering, but no external computer will be able to access any resources on your NetManager (except send email by default).
Filter inward and outward traffic
If you need to block internal users from accessing resources directly on the Internet or you have a complicated internal network structure (e.g. guest access VLAN or admin network separate from curriculum) you may want to use this mode. For example, if you have an unfiltered Internet connection, then if NAT is enabled, all users will be able to unset the proxy settings in their browser and get unfiltered access. By filtering the outward traffic, you can block all internal computers from sending HTTP requests (port 80) to the outside and thus force users to use your proxy.
Connecting the NetManager
There are a number of ways to connect the NetManager and the rest of your network to the Internet. This will affect how much filtering you are able to do.
- NetManager, router and all computers are connected together and use the same IP address range. In the situation, the NetManager is effectively just another client and so is unable to do any filtering, i.e. all clients will have unfiltered access. The NetManager firewalling will still allow control access to the NetManager services.
- Bridged network. This is an extension of the situation above. Two or more networks cards in the NetManager are bridged and so it behaves like a network switch. The NetManager still has only a single IP address. The router is connected directly into the NetManager. All traffic passing through the NetManager can be controlled using the firewall. This is a great method of delivering security without having to re-configure any machines.
- Router connected directly to NetManager. Internal network(s) connected to other NetManager network card(s). All networks have different IP address ranges. This is a classic NATed connection. If NAT is enabled, internal computers will be able to contact the outside world. This access can be filtered. There will be no access from the outside to the Internal network unless Port Mapping is used.