Difference between revisions of "ASL firewall"
m (→FW_TOR) |
m (→FW_DYN_WHITELIST) |
||
(51 intermediate revisions by 2 users not shown) | |||
Line 40: | Line 40: | ||
This behaviour can be disabled through the rule manager. | This behaviour can be disabled through the rule manager. | ||
+ | |||
+ | == Firewall Log messages == | ||
+ | |||
+ | Please see the [[Firewall Logs]] article. | ||
== Console firewall messages == | == Console firewall messages == | ||
− | Note that if you get undesired logging of firewall rule matches to your console, this is not an [[ASL]] problem. ASL will not configure your system to do this. If this is happening on your system, this is generally caused by | + | Note that if you get undesired logging of firewall rule matches to your console, this is not an [[ASL]] problem. ASL will not and can not configure your system to do this. If this is happening on your system, this is generally caused by a nonstandard syslogd or rsyslog configuration. |
− | No known Linux distribution will configure itself to do this by default, so if your system is doing this its either because a third party product has configured your system to do this, or a third party has altered the configuration of your system to do this. | + | No known Linux distribution will configure itself to do this by default, so if your system is doing this its either because a third party product has configured your system to do this, or a third party, such as your hosting company or sysadmin, has altered the configuration of your system to do this. The following operating system command, run as root, will disable console messages until your next reboot: |
− | Please contact the third party that has made this modification to your system for assistance. | + | ''dmesg -n 1'' |
+ | |||
+ | This will not prevent this from occuring the next time you reboot your system. Please contact the third party that has made this modification to your system for assistance, or contact sales and we can schedule some time with our professional services team to help you. | ||
= Fast/Easy Mode = | = Fast/Easy Mode = | ||
− | To access the Fast | + | To access the Fast and Easy firewall configuration mode: |
+ | |||
+ | 1) Log into the ASL web console | ||
+ | |||
+ | This is on your server on port 30000. | ||
+ | |||
+ | 2) Click on Settings Tab in the ASL GUI | ||
+ | |||
+ | 3) then select the "ASL Configuration" menu option. | ||
+ | |||
+ | 4) From there scroll down to the Firewall option on the left and click on that. Below are the settings you can configure and what they do: | ||
== Inbound/Outbound ports == | == Inbound/Outbound ports == | ||
+ | |||
+ | ASL makes it easy to implement a fast global policy of network ports that your system will allow users to connect to, and ports that you will allow your users to connect to other servers, from your server. | ||
=== FW_INBOUND_TCP_SERVICES === | === FW_INBOUND_TCP_SERVICES === | ||
− | List of allowed inbound TCP services, comma delimited. Just provide a list of the ports you want to allow in. Anything not on the list will be denied by default. | + | List of user configured allowed inbound TCP services, comma delimited. Just provide a list of the ports you want to allow in. Anything not on the list will be denied by default. |
+ | |||
+ | '''Default: ASL does not block any ports by default. By default all ports are open, ports are only closed if the user defines them via this setting.''' | ||
Example: 22,21,25,53,80,443,465,110,143,993,995,587,8443,30000 | Example: 22,21,25,53,80,443,465,110,143,993,995,587,8443,30000 | ||
− | Setting this to "no" will remove all blocks, and will allow all TCP ports to be accessed. Setting this to "" (blank) will block all inbound access to TCP ports. | + | Additional options: |
+ | |||
+ | * no - Setting this to "no" will remove all blocks, and will allow all TCP ports to be accessed. Setting this to "" (blank) will block all inbound access to TCP ports. | ||
+ | |||
+ | * (blank) - removing everything from this field and leaving it blank will all inbound access to TCP ports. | ||
Ranges are supported with the : delimiter. Example of allowing range 1024-1030 | Ranges are supported with the : delimiter. Example of allowing range 1024-1030 | ||
22,21,25,53,80,443,465,110,143,993,995,587,8443,30000,'''1024:1030''' | 22,21,25,53,80,443,465,110,143,993,995,587,8443,30000,'''1024:1030''' | ||
+ | |||
+ | If you use a control panel, some vendors provide a list of recommended ports you should have open for your control panel. The following links are to those vendors websites. Any questions about these recommended ports should be directed to the respective vendor. | ||
+ | |||
+ | [https://cpanel.net/getting_the_most_out_of_your_systems_firewall/ Cpanel Ports] | ||
+ | |||
+ | [http://www.webmin.com/firewall.html Webmin Ports] | ||
+ | |||
+ | [http://kb.parallels.com/en/391 Parallels Plesk Ports] | ||
+ | |||
+ | [http://help.directadmin.com/item.php?id=71 DirectAdmin Ports] | ||
+ | |||
+ | If you want to restrict access to a port for specific IPs, please see this article: | ||
+ | |||
+ | https://www.atomicorp.com/wiki/index.php/ASL_firewall#Per_Port_ACLs | ||
=== FW_INBOUND_UDP_SERVICES === | === FW_INBOUND_UDP_SERVICES === | ||
+ | Please note: This is for the Fast/Easy Mode method. You can find directions on accessing Fast/Easy Mode here: https://www.atomicorp.com/wiki-admin//index.php/ASL_firewall#Fast.2FEasy_Mode | ||
− | List of allowed inbound UDP services, comma delimited. Just provide a list of the ports you want to allow in. Anything not on the list will be denied by default. | + | List of user defined allowed inbound UDP services, comma delimited. Just provide a list of the ports you want to allow in. Anything not on the list will be denied by default. |
+ | |||
+ | '''Default: ASL does not block any ports by default. By default all ports are open, ports are only closed if the user defines them via this setting.''' | ||
Example: 53,123 | Example: 53,123 | ||
Setting this to "no" will remove all blocks, and will allow all UDP ports to be accessed. Setting this to "" (blank) will block all inbound access to UDP ports. | Setting this to "no" will remove all blocks, and will allow all UDP ports to be accessed. Setting this to "" (blank) will block all inbound access to UDP ports. | ||
+ | |||
+ | If you use a control panel, some vendors provide a list of recommended ports you should have open for your control panel. The following links are to those vendors websites. Any questions about these recommended ports should be directed to the respective vendor. | ||
+ | |||
+ | [https://cpanel.net/getting_the_most_out_of_your_systems_firewall/ Cpanel Ports] | ||
+ | |||
+ | [http://www.webmin.com/firewall.html Webmin Ports] | ||
+ | |||
+ | [http://kb.parallels.com/en/391 Parallels Plesk Ports] | ||
+ | |||
+ | [http://help.directadmin.com/item.php?id=71 DirectAdmin Ports] | ||
=== FW_OUTPUT_TCP_SERVICES === | === FW_OUTPUT_TCP_SERVICES === | ||
− | List of allowed '''outbound''' TCP connections, in a comma delimited format. Everything else is blocked, and logged along with the uid for the process that attempted to connect outbound and was denied. | + | List of user defined allowed '''outbound''' TCP connections, in a comma delimited format. Everything else is blocked, and logged along with the uid for the process that attempted to connect outbound and was denied. |
+ | |||
+ | '''Default: ASL does not block any ports by default. By default all ports are open, ports are only closed if the user defines them via this setting.''' | ||
To configure, just provide a list of the ports you want to allow out. Anything not on the list will be denied by default. | To configure, just provide a list of the ports you want to allow out. Anything not on the list will be denied by default. | ||
Line 91: | Line 144: | ||
=== FW_OUTPUT_UDP_SERVICES === | === FW_OUTPUT_UDP_SERVICES === | ||
− | List of allowed outbound UDP connections, in a comma delimited format. Just provide a list of the ports you want to allow out. Anything not on the list will be denied by default. You do not need to add any rules for services that are listening. For example, if you allow port 53 in, you do not need to allow port 53 out. ASL uses a stateful firewall and will allow listening services to communicate out. This list is for client initiated requests outbound from the server. However, if you had a service that needed to open connections outbound on its own, for example a DNS server would open connections on its own to look up domain names, you would need to allow port 53 out. You do not need to allow port 53 out to allow connections to the dns service running on the server, only if the DNS server needed to make its own independent connections outbound. | + | List of user defined allowed outbound UDP connections, in a comma delimited format. |
+ | |||
+ | '''Default: ASL does not block any ports by default. By default all ports are open, ports are only closed if the user defines them via this setting.''' | ||
+ | |||
+ | Just provide a list of the ports you want to allow out. Anything not on the list will be denied by default. You do not need to add any rules for services that are listening. For example, if you allow port 53 in, you do not need to allow port 53 out. ASL uses a stateful firewall and will allow listening services to communicate out. This list is for client initiated requests outbound from the server. However, if you had a service that needed to open connections outbound on its own, for example a DNS server would open connections on its own to look up domain names, you would need to allow port 53 out. You do not need to allow port 53 out to allow connections to the dns service running on the server, only if the DNS server needed to make its own independent connections outbound. | ||
Example: 53,123 | Example: 53,123 | ||
Line 116: | Line 173: | ||
http://help.directadmin.com/item.php?id=71 | http://help.directadmin.com/item.php?id=71 | ||
+ | |||
+ | ==== Webmin ==== | ||
+ | |||
+ | http://www.webmin.com/firewall.html | ||
== Engine settings == | == Engine settings == | ||
The Fast/Easy Mode also allows you to configure the core functionality of the netfilter engine. The following is a list of options you can set and what they do. | The Fast/Easy Mode also allows you to configure the core functionality of the netfilter engine. The following is a list of options you can set and what they do. | ||
+ | |||
+ | == FW_ENABLE == | ||
+ | |||
+ | This enables the [[ASL]] advanced network firewall. | ||
+ | |||
+ | Default: yes | ||
+ | |||
+ | == FW_ENABLE_IPSET == | ||
+ | |||
+ | This enables the ipset capability in the firewall. | ||
+ | |||
+ | Default: yes | ||
+ | |||
+ | Note: Your Linux kernel must support ipset to use this option. The [[ASL]] secure kernel supports this. If you are using a third party kernel, contact your kernel vendor for assistance if you wish to use ipset. | ||
+ | |||
+ | == FW_ENABLE_IPV6== | ||
+ | |||
+ | This enables IPv6 support on the system. | ||
+ | |||
+ | Default:no | ||
+ | |||
+ | ==FW_IPV6_FORWARD== | ||
+ | |||
+ | This enables IPv6 forwarding on the system. | ||
+ | |||
+ | Default:no | ||
+ | |||
+ | == FW_IPS== | ||
+ | |||
+ | This enables the [[ASL]] [[network based Intrusion Detection System]]. This protects network services that either do not support application firewalls, or where additional protection may be required due to limitations in application firewalls. | ||
+ | |||
+ | Default: no | ||
+ | |||
+ | Note: This requires a kernel that supports IPS extensions in the Linux NetFilter system. The [[ASL]] secure kernel supports this capability. If you are using a third party kernel, contact your kernel vendor for assistance. | ||
+ | |||
+ | == FW_IPS_LOG== | ||
+ | |||
+ | This enables logging of [[ASL]] network based Intrusion Detection System events. | ||
+ | |||
+ | Default :yes | ||
+ | |||
=== FW_WHITELIST === | === FW_WHITELIST === | ||
Line 126: | Line 228: | ||
Note: Whitelisted hosts are already automatically not shunned by ASL. There is no need to activate this to prevent shunning of whitelisted hosts. Enabling this option simply disables the firewall for whitelisted systems. | Note: Whitelisted hosts are already automatically not shunned by ASL. There is no need to activate this to prevent shunning of whitelisted hosts. Enabling this option simply disables the firewall for whitelisted systems. | ||
+ | |||
+ | Please see the [[whitelist]] article for instructions about how to add hosts to the whitelist. | ||
Default:[no] | Default:[no] | ||
Line 138: | Line 242: | ||
Note: This option is available in ASL 4.x and up. | Note: This option is available in ASL 4.x and up. | ||
+ | |||
+ | === FW_DYN_WHITELIST === | ||
+ | |||
+ | This allows you to apply the global whitelist to the firewall using a list of '''hostnames'''. This means any hostname on the global whitelist will be able to connect to any port, at any rate and as many times as the host wants. The list of hosts is defined in this file: | ||
+ | |||
+ | /etc/asl/dyn-whitelist | ||
+ | |||
+ | The format is one hostname per line, for example: | ||
+ | |||
+ | <pre> | ||
+ | home.dyndns.org | ||
+ | work.dyndns.org | ||
+ | </pre> | ||
+ | |||
+ | The list of hostnames is resolved every 5 minutes to support dynamic IP addresses using a dynamic DNS service. | ||
+ | |||
+ | Default:[no] | ||
+ | |||
+ | Note: This option is available in ASL 4.0.12 and up. | ||
+ | |||
+ | === FW_DYN_WHITELIST_LOG === | ||
+ | |||
+ | This logs if connections or packets are accepted if they are on the FW_DYN_WHITELIST chain. | ||
+ | |||
+ | Default:[yes] | ||
+ | |||
+ | Note: This option will be available in ASL 4.0.12 and up. | ||
=== FW_RATE_LIMIT === | === FW_RATE_LIMIT === | ||
Line 161: | Line 292: | ||
=== FW_OUTPUT_MTA === | === FW_OUTPUT_MTA === | ||
− | Outbound MTA policy, enabling this rule class will only allow outbound tcp/25 connections for users in the access list /etc/asl/firewall/mta-output-acl. This allows you to restrict outbound SMTP connections to specific users, such as the Mail Servers (MTA) user, which would require your users to use your local mail server for outbound connections. This allows you to filter all outbound email for spam, and prevents your users from setting up spam bots to send email out directly. | + | Outbound MTA policy, enabling this rule class will only allow outbound tcp/25, tcp/465 and tcp/587 connections for users in the access list /etc/asl/firewall/mta-output-acl. This allows you to restrict outbound SMTP connections to specific users, such as the Mail Servers (MTA) user, which would require your users to use your local mail server for outbound connections. This allows you to filter all outbound email for spam, and prevents your users from setting up spam bots to send email out directly. |
Simply put a list of the user names you wish to allow outbound SMTP connections from in the /etc/asl/firewall/mta-output-acl file. The format is one username per line. | Simply put a list of the user names you wish to allow outbound SMTP connections from in the /etc/asl/firewall/mta-output-acl file. The format is one username per line. | ||
Line 183: | Line 314: | ||
Please check with your mail server vendor to confirm the username that the mail server will use to send mail. | Please check with your mail server vendor to confirm the username that the mail server will use to send mail. | ||
+ | |||
+ | The format for the /etc/asl/firewall/mta-output-acl file is one username per line, for example: | ||
+ | |||
+ | <pre> | ||
+ | root | ||
+ | postfix | ||
+ | </pre> | ||
+ | |||
+ | After adding users to the /etc/asl/firewall/mta-output-acl file, run this command as root: | ||
+ | |||
+ | service asl-firewall restart | ||
+ | |||
+ | [[ASL]] will also log any attempts to bypass your configuration, as explained in these articles: | ||
+ | |||
+ | https://www.atomicorp.com/wiki/index.php?title=Firewall_Logs#ASL_SMTP_OUT | ||
+ | |||
+ | https://www.atomicorp.com/wiki/index.php?title=Using_ASL#ASL_SMTP_OUT | ||
=== FW_PLESK_UPDATES === | === FW_PLESK_UPDATES === | ||
Line 258: | Line 406: | ||
=== FW_LASSO === | === FW_LASSO === | ||
− | Enable/Disable the Spamhaus Lasso blacklist. Enabling this option will block all hosts on the Spamhaus Lasso blacklist. | + | Enable/Disable the [http://www.spamhaus.org/ Spamhaus] Lasso blacklist. Enabling this option will block all hosts on the Spamhaus Lasso blacklist. |
Default: No | Default: No | ||
Line 274: | Line 422: | ||
=== FW_ELASSO === | === FW_ELASSO === | ||
− | Enable/Disable the Spamhaus ELasso blacklist, an extension of the LASSO list, this includes subnet blocks allegedly controlled by cyber criminals (according to Spamhaus). | + | Enable/Disable the [http://www.spamhaus.org/ Spamhaus] ELasso blacklist, an extension of the LASSO list, this includes subnet blocks allegedly controlled by cyber criminals (according to Spamhaus). |
Default:[no] | Default:[no] | ||
Line 290: | Line 438: | ||
===FW_CIARMY=== | ===FW_CIARMY=== | ||
− | Enable/Disable the C.I. Army blacklist. The Collective Intelligence blacklist is a community blacklist of known malicious actors. It is updated weekly. | + | Enable/Disable the [http://www.cinsscore.com/#list C.I. Army blacklist]. The Collective Intelligence blacklist is a community blacklist of known malicious actors. It is updated weekly. |
Default:[no] | Default:[no] | ||
Line 304: | Line 452: | ||
===FW_EMERGING_THREATS=== | ===FW_EMERGING_THREATS=== | ||
− | Enable/Disable the Emerging Threats blacklist. | + | Enable/Disable the [http://www.emergingthreats.net/open-source/etopen-ruleset/ Emerging Threats] blacklist. |
Default:[no] | Default:[no] | ||
Line 320: | Line 468: | ||
===FW_OPENBL=== | ===FW_OPENBL=== | ||
− | Enable/Disable the OpenBL blacklist. OpenBL tracks multiple service abuse, including ssh, ftp, smtp, and http. | + | Enable/Disable the [http://www.openbl.org/ OpenBL blacklist]. OpenBL tracks multiple service abuse, including ssh, ftp, smtp, and http. |
Default:[no] | Default:[no] | ||
Line 334: | Line 482: | ||
===FW_AUTOSHUN=== | ===FW_AUTOSHUN=== | ||
− | Enable/Disable the autoshun.org blacklist. AutoShun is a community sourced blacklist from the Snort IDS. | + | Enable/Disable the [http://www.autoshun.org/ autoshun.org] blacklist. AutoShun is a community sourced blacklist from the Snort IDS. |
Default:[no] | Default:[no] | ||
Line 366: | Line 514: | ||
=== FW_DSHIELD === | === FW_DSHIELD === | ||
− | Enable/Disable the DShield blacklist. Enabling this option will block all hosts on the DShield blacklist. | + | Enable/Disable the [http://www.dshield.org/ DShield blacklist]. Enabling this option will block all hosts on the DShield blacklist. |
Default: No | Default: No | ||
Line 547: | Line 695: | ||
This will detect and drop packets that have an invalid MSS. | This will detect and drop packets that have an invalid MSS. | ||
− | Default: | + | Default: yes |
=== FW_MSS_DROP_LOG === | === FW_MSS_DROP_LOG === | ||
Line 605: | Line 753: | ||
If FW_IGNORE_BROADCASTS is set to yes, ASL will silently drop most broadcast packets. ASL will drop the following broadcast packets: | If FW_IGNORE_BROADCASTS is set to yes, ASL will silently drop most broadcast packets. ASL will drop the following broadcast packets: | ||
− | TCP and UDP: 255.255.255.255 | + | *TCP and UDP: 255.255.255.255 |
− | Multicast: 224.0.0.0/24 | + | *Multicast: 224.0.0.0/24 |
+ | *Broadcasts to the subnets broadcast address (ASL kernel only) | ||
− | ASL | + | Note: If you are using the ASL kernel, the ASL kernel can also intelligently detect and drop broadcast packets to the subnets broadcast address. Other kernels will not do this, so you may still see some broadcasts if you are not using the ASL kernel. Please contact the vendors for those kernels for support with detecting broadcasts. |
Default: no | Default: no | ||
Line 811: | Line 960: | ||
port - 1-65535 | port - 1-65535 | ||
+ | |||
+ | any - RESERVED (dont change this) | ||
'''Step 3)''' list IP's, one per line in the file you create in #2 above. | '''Step 3)''' list IP's, one per line in the file you create in #2 above. | ||
Line 958: | Line 1,109: | ||
Your new rule is now implemented. | Your new rule is now implemented. | ||
+ | |||
+ | === How to forward a port from the server to another system === | ||
+ | |||
+ | This procedure will allow you to create a ruleset to forward a port to a remote system. Forwarding a port on Linux requeires that you creare two types of rules, PREROUTING and FORWARD rules. | ||
+ | |||
+ | First create the PREROUTING rules | ||
+ | |||
+ | ==== PREROUTING RULES ==== | ||
+ | |||
+ | Step 1: Log into the ASL GUI | ||
+ | |||
+ | Step 2: Click the Firewall Tab | ||
+ | |||
+ | Step 3: Select the Firewall Rules menu option. | ||
+ | |||
+ | On the left hand side you will see a window that is titled "Tables & Chains" | ||
+ | |||
+ | Step 4: Click on "PREROUTING" under "net" | ||
+ | |||
+ | Step 5: A new button will appear titled "Add". Click this button. | ||
+ | |||
+ | Step 6: (Optional) add in a comment for your custom rule for your records to help you identify this rule | ||
+ | |||
+ | Step 7: For action select "Insert" | ||
+ | |||
+ | Step 6: For protocol select the appropriate protocl for your service (e.g. TCP for HTTP) leave the first drop down blank. | ||
+ | |||
+ | Step 7: Select the local port you want to form (e.g. 21 for FTP) | ||
+ | |||
+ | Step 8: (Optional) Select the local IP you want to forward. If you do not select an IP, any connection to your local port on any IP will be forwarded to the remote system/port. | ||
+ | |||
+ | Step 8: In the "Jump target" dropdown select "DNAT". A new window will appear, "To destination". | ||
+ | |||
+ | Step 9: Set the destination IP. | ||
+ | |||
+ | Step 10: Then press the Add Rule button. | ||
+ | |||
+ | Move onto FORWARD RULES below. | ||
+ | |||
+ | ==== FORWARD RULES ==== | ||
+ | |||
+ | Step 1: Log into the ASL GUI | ||
+ | |||
+ | Step 2: Click the Firewall Tab | ||
+ | |||
+ | Step 3: Select the Firewall Rules menu option. | ||
+ | |||
+ | On the left hand side you will see a window that is titled "Tables & Chains" | ||
+ | |||
+ | Step 4: Click on "FORWARD" under "filter" | ||
+ | |||
+ | Step 5: A new button will appear titled "Add". Click this button. | ||
+ | |||
+ | Step 6: (Optional) add in a comment for your custom rule for your records to help you identify this rule | ||
+ | |||
+ | Step 7: For action select "Insert" | ||
+ | |||
+ | Step 6: For protocol select the appropriate protocl for your service (e.g. TCP for HTTP) leave the first drop down blank. | ||
+ | |||
+ | Step 7: Select the local port you want to form (e.g. 21 for FTP) | ||
+ | |||
+ | Step 8: (Optional) Select the local IP you want to forward. If you do not select an IP, this any connection to your local port on any IP will be forwarded to the remote system/port. | ||
+ | |||
+ | Step 9: Set the "Jump Target" to "ACCEPT". | ||
+ | |||
+ | Step 10: Then press the Add Rule button. | ||
+ | |||
+ | Step 11: Add the port you want to forward to your allowed ports list via this option. For example if you are forwarding port 21, add port 21 to this option: | ||
+ | |||
+ | Use this setting for TCP ports: | ||
+ | |||
+ | https://wiki.atomicorp.com/wiki/index.php/ASL_firewall#FW_INBOUND_TCP_SERVICES | ||
+ | |||
+ | Use this setting for UDP ports: | ||
+ | |||
+ | https://wiki.atomicorp.com/wiki/index.php/ASL_firewall#FW_INBOUND_UDP_SERVICES | ||
+ | |||
+ | Your new rule is now implemented. | ||
+ | |||
+ | ==== Notes on FTP ==== | ||
+ | |||
+ | See this article: | ||
+ | |||
+ | https://wiki.atomicorp.com/wiki/index.php/ASL_Troubleshooting#FTP_not_working | ||
=== How to allow connections to a port === | === How to allow connections to a port === | ||
Line 1,067: | Line 1,302: | ||
= Frequently Asked Questions = | = Frequently Asked Questions = | ||
+ | |||
+ | == How can I change the ASL-Firewall-INPUT rules? == | ||
+ | |||
+ | These are generated based on your configuration of these settings: | ||
+ | |||
+ | https://www.atomicorp.com/wiki/index.php/ASL_firewall#Fast.2FEasy_Mode | ||
+ | |||
+ | == How can I change the ASL-Firewall-OUTPUT rules? == | ||
+ | |||
+ | These are generated based on your configuration of these settings: | ||
+ | |||
+ | https://www.atomicorp.com/wiki/index.php/ASL_firewall#Fast.2FEasy_Mode | ||
== Can I use a range of ports? == | == Can I use a range of ports? == | ||
Line 1,089: | Line 1,336: | ||
For example, if you allow traffic in on port 22 via an INPUT rule, you do not need to create an OUTPUT rule for port 22 if you have checked the stateful box (which is checked by default) when creating your rule. | For example, if you allow traffic in on port 22 via an INPUT rule, you do not need to create an OUTPUT rule for port 22 if you have checked the stateful box (which is checked by default) when creating your rule. | ||
+ | |||
+ | == How can the firewall be reset to its defaults? == | ||
+ | |||
+ | You can reset your firewall rules to the defaults by running these commands as the root user (not via sudo): | ||
+ | |||
+ | cp /etc/asl/firewall/running.fw /root | ||
+ | |||
+ | rm /etc/asl/firewall/running.fw | ||
+ | |||
+ | service asl-firewall restart | ||
+ | |||
+ | NOTE: You can restore your custom firewall rules, only if you used the commands above to clear your firewall rules by running these commands as the root user: | ||
+ | |||
+ | cp /root/running.fw /etc/asl/firewall/running.fw | ||
+ | |||
+ | service asl-firewall restart | ||
= Logs = | = Logs = | ||
Please see the [[Firewall Logs]] article. | Please see the [[Firewall Logs]] article. |
Latest revision as of 08:50, 9 September 2019
[edit] Introduction
ASL has two different ways you can configure the firewall on your system:
1) Fast/Easy Mode
This configuration system should be the one most new users are familiar with. This system lets you quickly define a list of ports to allow or deny in a list. For most uses the Fast/Easy mode is what you will want to use.
2) Advanced Firewall Rule Manager
This is a full featured netfilter GUI. This will allow you to define arbitrary chains, actions, modules and other advanced iptables features. This is recommended for advanced users.
[edit] How the firewall works
The ASL stateful packet inspection firewall works much like other firewalls. It inserts rules into the Linux kernel which govern how the kernel will handle network traffic. All firewalls work in a "first match wins" manner. That means rules are checked in order, and the first rule to apply "wins". For example, if you have two firewall rules in this order:
- Allow traffic on port 80
- Block all traffic
Lets say you have a connection comes in on port 80. The firewall will run through the rules in the order you configure. In the example above, the first rule says to allow traffic on port 80. This connection is to port 80, so the rule will match and the traffic will be allowed and processing will stop. Theres nothing else for the firewall to do, its allowed the traffic so its done.
However, lets say in the example above if a packet comes in on port 23. The firewall will run through the rules again and this time rule 1 will not match. This is a request to access port 23, not port 80. So processing will continue. Moving on to rule 2, this rule says to block all traffic. So, this rule will match, because all traffic means all traffic, including this request to port 23. Therefore this rule will match, the firewall will block the request, and processing will stop because theres nothing else to do, the connection was blocked.
Heres another important example. Lets say your firewall rules were in this order. This is a very common mistake made by those new to firewalls:
- Block all traffic
- Allow traffic on port 80
In this case, if a connection comes in on port 80 it will be blocked. Even though rule #2 says to allow it, it will be blocked. Lets review why.
This is because rule 1 says to block all traffic. When the request comes in, the firewall looks at its rule. Rule #1 says to block all traffic, so it blocks all traffic. And as the traffic has been blocked, theres nothing else to do. This is an important mistake, because even though there is a later rule that says to allow traffic on port 80, rule #2 will never match anything, because rule 1 matched first, blocked the traffic and processing stopped. Rules process in order, the first match always wins.
This is why firewall rules are called rules. They arent configuration options, they are strict rules and order always matter. If a request matches a rule, that rule applies as long as no other rule before it applies. Remember, rules are processed in order, 1, 2, 3, 4, etc. When a match occurs, action happens and if that action is to block or allow something, it doesnt matter what any later rules may be, the currently matching rule always "wins".
This is normal behaviour for all firewalls. All firewalls behave this way. Rules are processed in order. Therefore, the order of rules is the most important thing to how a firewall will behave. Make sure you understand the order of your rules to ensure that they are performing as you expect. Most firewall rule problems are due to order.
[edit] Stateful packet inspection
When used, the ASL firewall keeps track of the state of network connections. The ASL firewall is designed to distinguish legitimate packets for different types of connections, and to only allow packets matching a known active connection.
This behaviour can be disabled through the rule manager.
[edit] Firewall Log messages
Please see the Firewall Logs article.
[edit] Console firewall messages
Note that if you get undesired logging of firewall rule matches to your console, this is not an ASL problem. ASL will not and can not configure your system to do this. If this is happening on your system, this is generally caused by a nonstandard syslogd or rsyslog configuration.
No known Linux distribution will configure itself to do this by default, so if your system is doing this its either because a third party product has configured your system to do this, or a third party, such as your hosting company or sysadmin, has altered the configuration of your system to do this. The following operating system command, run as root, will disable console messages until your next reboot:
dmesg -n 1
This will not prevent this from occuring the next time you reboot your system. Please contact the third party that has made this modification to your system for assistance, or contact sales and we can schedule some time with our professional services team to help you.
[edit] Fast/Easy Mode
To access the Fast and Easy firewall configuration mode:
1) Log into the ASL web console
This is on your server on port 30000.
2) Click on Settings Tab in the ASL GUI
3) then select the "ASL Configuration" menu option.
4) From there scroll down to the Firewall option on the left and click on that. Below are the settings you can configure and what they do:
[edit] Inbound/Outbound ports
ASL makes it easy to implement a fast global policy of network ports that your system will allow users to connect to, and ports that you will allow your users to connect to other servers, from your server.
[edit] FW_INBOUND_TCP_SERVICES
List of user configured allowed inbound TCP services, comma delimited. Just provide a list of the ports you want to allow in. Anything not on the list will be denied by default.
Default: ASL does not block any ports by default. By default all ports are open, ports are only closed if the user defines them via this setting.
Example: 22,21,25,53,80,443,465,110,143,993,995,587,8443,30000
Additional options:
- no - Setting this to "no" will remove all blocks, and will allow all TCP ports to be accessed. Setting this to "" (blank) will block all inbound access to TCP ports.
- (blank) - removing everything from this field and leaving it blank will all inbound access to TCP ports.
Ranges are supported with the : delimiter. Example of allowing range 1024-1030
22,21,25,53,80,443,465,110,143,993,995,587,8443,30000,1024:1030
If you use a control panel, some vendors provide a list of recommended ports you should have open for your control panel. The following links are to those vendors websites. Any questions about these recommended ports should be directed to the respective vendor.
If you want to restrict access to a port for specific IPs, please see this article:
https://www.atomicorp.com/wiki/index.php/ASL_firewall#Per_Port_ACLs
[edit] FW_INBOUND_UDP_SERVICES
Please note: This is for the Fast/Easy Mode method. You can find directions on accessing Fast/Easy Mode here: https://www.atomicorp.com/wiki-admin//index.php/ASL_firewall#Fast.2FEasy_Mode
List of user defined allowed inbound UDP services, comma delimited. Just provide a list of the ports you want to allow in. Anything not on the list will be denied by default.
Default: ASL does not block any ports by default. By default all ports are open, ports are only closed if the user defines them via this setting.
Example: 53,123
Setting this to "no" will remove all blocks, and will allow all UDP ports to be accessed. Setting this to "" (blank) will block all inbound access to UDP ports.
If you use a control panel, some vendors provide a list of recommended ports you should have open for your control panel. The following links are to those vendors websites. Any questions about these recommended ports should be directed to the respective vendor.
[edit] FW_OUTPUT_TCP_SERVICES
List of user defined allowed outbound TCP connections, in a comma delimited format. Everything else is blocked, and logged along with the uid for the process that attempted to connect outbound and was denied.
Default: ASL does not block any ports by default. By default all ports are open, ports are only closed if the user defines them via this setting.
To configure, just provide a list of the ports you want to allow out. Anything not on the list will be denied by default.
You do not need to add any rules for services that are listening. For example, if you allow port 80 in, you do not need to allow port 80 out. ASL uses a stateful firewall and will allow listening services to communicate out. This list is for client initiated requests outbound from the server. For example, if a user wanted to ssh from the server to another server, you would need to allow port 22 out. You do not need to allow port 22 out to allow connections to the ssh service running on the server.
Example: 25,80,443,465,123,53
Remember to allow out other services your system uses such as DNS (port 53). If you do not allow out DNS queries, your system will not be able to resolve any domain names, and things like yum updates, ASL updates, and outbound email will fail.
Setting this to "no" will remove all blocks, and will allow all outbound TCP ports to be accessed. Setting this to "" (blank) will block all outbound access to TCP ports.
[edit] FW_OUTPUT_UDP_SERVICES
List of user defined allowed outbound UDP connections, in a comma delimited format.
Default: ASL does not block any ports by default. By default all ports are open, ports are only closed if the user defines them via this setting.
Just provide a list of the ports you want to allow out. Anything not on the list will be denied by default. You do not need to add any rules for services that are listening. For example, if you allow port 53 in, you do not need to allow port 53 out. ASL uses a stateful firewall and will allow listening services to communicate out. This list is for client initiated requests outbound from the server. However, if you had a service that needed to open connections outbound on its own, for example a DNS server would open connections on its own to look up domain names, you would need to allow port 53 out. You do not need to allow port 53 out to allow connections to the dns service running on the server, only if the DNS server needed to make its own independent connections outbound.
Example: 53,123
Also, remember to allow out other services your system uses such as DNS (port 53). If you do not allow out DNS queries, your system will not be able to resolve any domain names, and things like yum updates, ASL updates, and outbound email will fail.
Setting this to "no" will remove all blocks, and will allow all outbound UDP ports to be accessed. Setting this to "" (blank) will block all outbound access to UDP ports.
[edit] Recommended ports
At a minimum, to use ASL you will need to ensure that port 30000/tcp is open inbound to your system.
The sections below provide a list of URLs to vendors that have documented additional ports they require to be open for their respective products to work correctly. If you have questions about what ports to open for these products, please contact the vendors for those products.
[edit] Cpanel
http://cpanel.net/getting_the_most_out_of_your_systems_firewall/
[edit] Parallels Plesk
http://kb.parallels.com/en/391
[edit] Directadmin
http://help.directadmin.com/item.php?id=71
[edit] Webmin
http://www.webmin.com/firewall.html
[edit] Engine settings
The Fast/Easy Mode also allows you to configure the core functionality of the netfilter engine. The following is a list of options you can set and what they do.
[edit] FW_ENABLE
This enables the ASL advanced network firewall.
Default: yes
[edit] FW_ENABLE_IPSET
This enables the ipset capability in the firewall.
Default: yes
Note: Your Linux kernel must support ipset to use this option. The ASL secure kernel supports this. If you are using a third party kernel, contact your kernel vendor for assistance if you wish to use ipset.
[edit] FW_ENABLE_IPV6
This enables IPv6 support on the system.
Default:no
[edit] FW_IPV6_FORWARD
This enables IPv6 forwarding on the system.
Default:no
[edit] FW_IPS
This enables the ASL network based Intrusion Detection System. This protects network services that either do not support application firewalls, or where additional protection may be required due to limitations in application firewalls.
Default: no
Note: This requires a kernel that supports IPS extensions in the Linux NetFilter system. The ASL secure kernel supports this capability. If you are using a third party kernel, contact your kernel vendor for assistance.
[edit] FW_IPS_LOG
This enables logging of ASL network based Intrusion Detection System events.
Default :yes
[edit] FW_WHITELIST
This allows you to apply the global whitelist to the firewall. This means any host on the global whitelist will be able to connect to any port, at any rate and as many times as the host wants.
Note: Whitelisted hosts are already automatically not shunned by ASL. There is no need to activate this to prevent shunning of whitelisted hosts. Enabling this option simply disables the firewall for whitelisted systems.
Please see the whitelist article for instructions about how to add hosts to the whitelist.
Default:[no]
Note: This option is available in ASL 4.x and up.
[edit] FW_WHITELIST_LOG
This logs if connections or packets are accepted if they are on the whitelist.
Default:[yes]
Note: This option is available in ASL 4.x and up.
[edit] FW_DYN_WHITELIST
This allows you to apply the global whitelist to the firewall using a list of hostnames. This means any hostname on the global whitelist will be able to connect to any port, at any rate and as many times as the host wants. The list of hosts is defined in this file:
/etc/asl/dyn-whitelist
The format is one hostname per line, for example:
home.dyndns.org work.dyndns.org
The list of hostnames is resolved every 5 minutes to support dynamic IP addresses using a dynamic DNS service.
Default:[no]
Note: This option is available in ASL 4.0.12 and up.
[edit] FW_DYN_WHITELIST_LOG
This logs if connections or packets are accepted if they are on the FW_DYN_WHITELIST chain.
Default:[yes]
Note: This option will be available in ASL 4.0.12 and up.
[edit] FW_RATE_LIMIT
This allows you to limit the rate of connections to TCP and UDP ports, as well as the maximum number of connections a single IP can have to a port. This is configured in the /etc/asl/firewall/rate-limit-tcp file for TCP, and /etc/asl/firewall/rate-limit-udp for UDP.
Default:[no]
Notice: Please see the documentation on the Ratelimit page to configure this for your system.
Note: This option is available in ASL 4.x and up.
[edit] FW_RATE_LIMIT_LOG
This logs if connections or packets are dropped by the Rate Limit engine.
Default:[yes]
Notice: Please see the documentation on the Ratelimit page to configure this for your system.
Note: This option is available in ASL 4.x and up.
[edit] FW_OUTPUT_MTA
Outbound MTA policy, enabling this rule class will only allow outbound tcp/25, tcp/465 and tcp/587 connections for users in the access list /etc/asl/firewall/mta-output-acl. This allows you to restrict outbound SMTP connections to specific users, such as the Mail Servers (MTA) user, which would require your users to use your local mail server for outbound connections. This allows you to filter all outbound email for spam, and prevents your users from setting up spam bots to send email out directly.
Simply put a list of the user names you wish to allow outbound SMTP connections from in the /etc/asl/firewall/mta-output-acl file. The format is one username per line.
In general, you will only want to use the username of the MTA, not your actually users. For example, if qmail-send ran as the user "qmail", you would add that. If postfix ran as the user "postfix", add that. If you had a user "jdoe" that sent mail through your mail server, you would not add jdoe to the /etc/asl/firewall/mta-output-acl file.
So the most important step is to determine what user(s) your mail server uses to send mail. The table below contains a list of the users typically used by the most popular mail servers. Please confirm that this is correct for your mail server configuration, as some vendors change these names:
Mail Server | Typical Usernames |
---|---|
Postfix | postfix |
QMail | qmailr |
Exim | mailnull |
Sendmail | smmsp |
Please check with your mail server vendor to confirm the username that the mail server will use to send mail.
The format for the /etc/asl/firewall/mta-output-acl file is one username per line, for example:
root postfix
After adding users to the /etc/asl/firewall/mta-output-acl file, run this command as root:
service asl-firewall restart
ASL will also log any attempts to bypass your configuration, as explained in these articles:
https://www.atomicorp.com/wiki/index.php?title=Firewall_Logs#ASL_SMTP_OUT
https://www.atomicorp.com/wiki/index.php?title=Using_ASL#ASL_SMTP_OUT
[edit] FW_PLESK_UPDATES
Enable/Disable Plesk keyserver update firewall policy.
Default:[no]
[edit] FW_SPAMASSASSIN_UPDATES
Enable/Disable Spamassassin update firewall policy for support packages DCC, Razor, and Pyzor.
Default:[no]
[edit] FW_PORTKNOCK
Note: This option is available in ASL 4.x and up, and only with the ASL kernel. These options are not available in non-ASL kernels.
Enable/Disable the portknocking protection engine.
Default:[no]
[edit] FW_PORTKNOCK_SIMPLE
Enable/Disable the use of simple portknocking protection.
Default:[no]
Warning: Please read the portknocking documentation on this feature in full before using it. This will require the use of a special client or telnet sequence to open the port.
Note: This option is available in ASL 4.x and up.
[edit] FW_PORTKNOCK_SIMPLE_LOG_KNOCK
Enable/Disable logging of the knock packet.
Default:[yes]
Note: This option is available in ASL 4.x and up.
[edit] FW_PORTKNOCK_SIMPLE_LOG_ALLOWED
Enable/Disable logging of the allowed knock connection.
Default:[yes]
Note: This option is available in ASL 4.x and up.
[edit] FW_PORTKNOCK_ADVANCED
Enable/Disable the use of advanced Simple Packet Authentication (SPA) portknocking protection. This uses One Time Passwords, which limits the knock to one per minute (because of the epoch_min).
Default:[no]
Warning: Please read the portknocking documentation on this feature in full before using it. This will require the use of a special client or telnet sequence to open the port.
Note: This option is available in ASL 4.x and up.
[edit] FW_PORTKNOCK_ADVANCED_LOG_KNOCK
Enable/Disable logging of the knock packet.
Default:[yes]
Note: This option is available in ASL 4.x and up.
[edit] FW_PORTKNOCK_ADVANCED_LOG_ALLOWED
Enable/Disable logging of the allowed knock connection.
Default:[yes]
Note: This option is available in ASL 4.x and up.
[edit] FW_LASSO
Enable/Disable the Spamhaus Lasso blacklist. Enabling this option will block all hosts on the Spamhaus Lasso blacklist.
Default: No
Note: This is a third party list not operated by Atomicorp.
[edit] FW_LASSO_LOG
Enable/Disable the logging of any blocks from the Spamhaus Lasso blacklist.
Note: This requires that FW_LASSO be enabled to actually block any IPs on the Spamhaus Lasso blacklist.
Default: Yes
[edit] FW_ELASSO
Enable/Disable the Spamhaus ELasso blacklist, an extension of the LASSO list, this includes subnet blocks allegedly controlled by cyber criminals (according to Spamhaus).
Default:[no]
Note: This is a third party list not operated by Atomicorp.
[edit] FW_ELASSO_LOG
Enable/Disable the logging of Spamhaus Lasso Blacklist IPs that are blocked.
Default:[yes]
Note: This requires that FW_ELASSO be enabled to actually block any IPs on the Spamhaus Lasso blacklist.
[edit] FW_CIARMY
Enable/Disable the C.I. Army blacklist. The Collective Intelligence blacklist is a community blacklist of known malicious actors. It is updated weekly.
Default:[no]
Note: This is a third party list not operated by Atomicorp.
[edit] FW_CIARMY_LOG
Enable/Disable the logging of C.I. Army Blacklist IPs that are blocked. Default:[yes]
Note: This requires that FW_CIARMY be enabled to actually block any IPs on the Spamhaus Lasso blacklist.
[edit] FW_EMERGING_THREATS
Enable/Disable the Emerging Threats blacklist.
Default:[no]
Note: This is a third party list not operated by Atomicorp.
[edit] FW_EMERGING_THREATS_LOG
Enable/Disable logging of Emerging Threats RBN IPs that are blocked.
Note: This requires that FW_EMERGING_THREATS be enabled to actually block any IPs on the Spamhaus Lasso blacklist.
Default:[yes]
[edit] FW_OPENBL
Enable/Disable the OpenBL blacklist. OpenBL tracks multiple service abuse, including ssh, ftp, smtp, and http.
Default:[no]
Note: This is a third party list not operated by Atomicorp.
[edit] FW_OPENBL_LOG
Enable/Disable logging of IP's blocked by the OpenBL blacklist. Default:[yes]
Note: This requires that FW_OPENBL be enabled to actually block any IPs on the Spamhaus Lasso blacklist.
[edit] FW_AUTOSHUN
Enable/Disable the autoshun.org blacklist. AutoShun is a community sourced blacklist from the Snort IDS.
Default:[no]
Note: This is a third party list not operated by Atomicorp.
[edit] FW_AUTOSHUN_LOG
Enable/Disable logging of IP's blocked by the AutoShun blacklist.
Default:[yes]
Note: This requires that FW_AUTOSHUN be enabled to actually block any IPs on the Spamhaus Lasso blacklist.
[edit] FW_OPENPROXIES
Enable/Disable the Open Proxy blacklist.
Default:[no]
Note: This is a third party list not operated by Atomicorp.
[edit] FW_OPENPROXIES_LOG
Enable/Disable logging of IP's blocked by the Open Proxy blacklist.
Default:[yes]
Note: This requires that FW_OPENPROXIES be enabled to actually block any IPs on the Spamhaus Lasso blacklist.
[edit] FW_DSHIELD
Enable/Disable the DShield blacklist. Enabling this option will block all hosts on the DShield blacklist.
Default: No
Note: This is a third party list not operated by Atomicorp.
[edit] FW_DSHIELD_LOG
Enable/Disable the logging of any blocks from the DShield blacklist.
Note: This requires that FW_DSHIELD be enabled to actually block any IPs on the DShield blacklist.
Default: Yes
[edit] FW_TOR
Enable/Disable the TOR exit node list. Enabling this option will block all current TOR exit nodes.
Default: No
Note: This is a third party list not operated by Atomicorp.
[edit] FW_TOR_LOG
Enable/Disable the logging of any blocks from FW_TOR, which blocks any IPs on the TOR exit node list.
Note: This requires that FW_TOR be enabled to actually block any IPs.
Default: Yes
[edit] FW_PORTSCAN
This will detect portscans against the system and will drop these packets. This will confuse the port scanner, and will cause it to not be able to identify open and closed ports on the system.
Default: yes
ASL 3 currently blocks these types of port scans:
- SYN/FIN
- SYN,RST
- XMAS
- NULL
- FIN/URG/PSH
- FIN/RST/PSH
- ACK/PSH/URG RST scans
- All flag scans
If you have ASL configured to only allow connections to specific ports, via the Fast Mode, then ASL will also disrupt portscans on closed ports.
Note: ASL 4 blocks the following additional types of port scans:
- Syn scans
- Additional stealth scans
- "Connect" scans
- "Grab" scans
These are enabled via the additional firewall options below.
[edit] FW_LOWLEVEL_PORTSCAN
These are available in ASL 4.x and up, and only with the ASL kernel. These options are not available in non-ASL kernels.
Enable/Disable detection of low level portscans.
Default:[no]
Note: This uses a different method from the other portscan detectors offered in ASL. You can use them all together, or separately. This method will detect the portscan after it has been carried out, but this information can be useful to block the remote host's future connections. This method will match on the probable last packet the remote side sent to the system.
[edit] FW_DROP_SYNSCAN
Enable/Disable detection of syn scans.
Default:[no]
Warning: Some clients with buggy IP stacks (e.g. Windows XP) may generate traffic thats is identical to a SYN scan and therefore cause false alarms with this type of scan detection, use with caution.
Note: This option is available in ASL 4.x and up.
[edit] FW_DROP_STEALTH_SCAN
Enable/Disable detection of stealthy port scans.
Default:[no]
Note: This option is available in ASL 4.x and up.
[edit] FW_DROP_CONNECT_SCAN
Enable/Disable detection of connect() port scans. This will detect, and block IPs that have made a full connect() to the system, but then tore down the connection after completion of the 3-way handshake. Most network applications already log these types of connections, so this type of port scan detection is generally not necessary at the kernel level.
Default:[no]
Note: This option is available in ASL 4.x and up.
Warning: Some network testing tools use connect() scans (connecting to the port, and then tearing down the connection without sending any data) to test if services are up. Enabling this may cause those tools to fail or to be blocked.
[edit] FW_DROP_GRAB_SCAN
Enable/Disable detection of grab scans. This detects when a client connects to port, gets a response and drops the connect. For example, banner grabbing scans.
This will trigger if data in the connection only was sent in one direction, where a connection was terminated after a locally running daemon sent its identification. (E.g. openssh, smtp, ftpd.)
Default:[no]
Warning: This may falsely trigger on warranted single-direction data flows, usually bulk data transfers such as FTP DATA connections or IRC DCC. ASL requires that you define a set of ports for this rule in the file /etc/asl/firewall/grscan-ports (This link includes an initial set of ports that you will need to test for your system). If you get false positives, that means the port you configured operates this way normally (sometimes the connection is just one way from the server to the client)
You must restart the firewall, if you change this list of ports, for any changes to take effect. Run this command as root:
service asl-firewall restart
Note: This option is available in ASL 4.x and up.
[edit] FW_ADVANCED_PORTSCAN
These are available in ASL 4.x and up, and only with the ASL kernel. These options are not available in non-ASL kernels.
Enable/Disable the advanced port scan detector.
Default:[no]
[edit] PSD_W_THRSH
Advanced Portscan detection weight threshold.
Default: 21
Warning: This is an advanced setting, do not change this setting unless you know what you are doing.
Note: This option is available in ASL 4.x and up, and only with the ASL kernel. These options are not available in non-ASL kernels.
[edit] PSD_DELAY
Portscan detection delay threshold
Default: 300
Warning: This is an advanced setting, do not change this setting unless you know what you are doing.
Note: This option is available in ASL 4.x and up, and only with the ASL kernel. These options are not available in non-ASL kernels.
[edit] PSD_LO
Privileged ports weight (1-1023).
Default: 3
Warning: This is an advanced setting, do not change this setting unless you know what you are doing.
Note: This option is available in ASL 4.x and up, and only with the ASL kernel. These options are not available in non-ASL kernels.
[edit] PSD_HI
High ports weight (1024-65535).
Default: 1
Warning: This is an advanced setting, do not change this setting unless you know what you are doing.
Note: This option is available in ASL 4.x and up, and only with the ASL kernel. These options are not available in non-ASL kernels.
[edit] FW_LOG_AR_DROP
Enable/Disable the logging of IPs that are blocked by the ASL active response system.
Default:[yes]
Note: This option is available in ASL 4.0 and up.
[edit] FW_BAD_PACKETS
This will detect and drop packets that use bad or invalid options.
Default: yes
[edit] FW_MSS_DROP
Note: This option is available in ASL 4.x and up.
This will detect and drop packets that have an invalid MSS.
Default: yes
[edit] FW_MSS_DROP_LOG
Note: This option is available in ASL 4.x and up.
This will log if packets are dropped by the FW_MSS_DROP option.
Default: yes
[edit] FW_SMALL_PACKETS
This will detect packets that are too small to be valid. Each protocol has a minimum size, and this will detect if a packet is too small to be valid.
Default: yes
[edit] FW_FRAGMENTS
This will detect fragmented packets. ASL uses a stateful firewall and will automatically handle fragmented packets. This detects if someone is maliciously attempting to bypass the state engine. It is recommend you always have this enabled.
Default: yes
[edit] FW_DROP_INVALID
This will detect, and drop invalid packets. Invalid packets include "orphan" packets that do not belong to a stateful connection, as well as all packets with invalid TCP flags, headers or checksums, out of sequence packets which can be caused by sequence prediction or other similar attacks, drop invalid ICMP messages generated by other types of network attacks (Example: recieving a port unreachable ICMP message from a host that the system is not expecting any traffic from).
This setting is important to both stop attacks, and also to prevent false positive shuns under rule 4151. If your systems users connections generate a lot of orphaned packets, you will need to enable this so they are not treated as possible attacks. Some operating systems have poorly implemented network stacks, or bugs that will generate lots of packets that are not part of an established connection and this setting will prevent them from being treated as attacks. These poorly implemented stacks are not caused by ASL, this setting exists to compensate for these buggy and poorly designed network stacks and to prevent false positives with them.
Default: yes
Note: Do not change the default setting to "no" unless you know what you are doing. This may result in valid connections being shunned. Some poorly configured kernels may not support this capability. All major vendors kernels do this support this capability (Redhat, Centos, ASL), but some vendors have poorly configured their network stack and firewalling capabilities. If you are stuck with one of these inferior kernels, you will need to disable HIDS_4151. We recommend you instead use a more robust kernel, such as the ASL kernel.
[edit] FW_DROP_INVALID_LOG
If FW_DROP_INVALID is set to yes, and this option is set to yes, ASL will log all invalid packets it drops.
Default: no
Please see the link below for information about log messages you may see this enabled:
https://www.atomicorp.com/wiki/index.php/ASL_FAQ#kernel:_ASL_INVALID_INPUT
[edit] FW_LOG_BLACKLIST_DROP
If FW_LOG_BLACKLIST_DROP is set to yes ASL will log all blacklist IP packets it drops.
Default: yes
[edit] FW_LOG_GEOBLOCK_DROP
Setting this option to yes ASL will log all Geoblocked IP packets ASL drops.
Default: yes
[edit] FW_IGNORE_BROADCASTS
If FW_IGNORE_BROADCASTS is set to yes, ASL will silently drop most broadcast packets. ASL will drop the following broadcast packets:
- TCP and UDP: 255.255.255.255
- Multicast: 224.0.0.0/24
- Broadcasts to the subnets broadcast address (ASL kernel only)
Note: If you are using the ASL kernel, the ASL kernel can also intelligently detect and drop broadcast packets to the subnets broadcast address. Other kernels will not do this, so you may still see some broadcasts if you are not using the ASL kernel. Please contact the vendors for those kernels for support with detecting broadcasts.
Default: no
[edit] FW_ACCEPT_REDIRECTS
This option controls how the system will respond to redirects. The default setting of "no" is recommended and is also the default setting in Linux. You should not enable this setting unless you know what you are doing. Enabling this can make it possible for an attacker to bypass your firewall rules.
Default: No
[edit] FW_ACCEPT_SOURCE_ROUTE
This option controls how the system will respond to a Source Route packet. It is highly recommend you not enable this, and leave the default setting of "no". Source Routed packets can bypass all your firewall rules, are not necessary for proper network functioning and are a relic of IPv4 that should never be used for secure networking.
[edit] FW_ICMP_IGNORE_ALL
This option controls how the system will respond to any ICMP broadcast request, such as a ping. It is recommended you not enable this option if you want your system to respond to pings and other ICMP queries.
[edit] FW_ICMP_IGNORE_BROADCASTS
This option controls how the system will respond to bogus ICMP broadcast request (so called smurf attacks). It is recommended you enable this option.
[edit] FW_IGNORE_ICMP_BOGUS
This option controls how the system will respond to bogus ICMP requests. It is recommended you enable this option.
[edit] FW_IPV4_FORWARD
This option enables and disable IPv4 forwarding. If your system is not forwarding traffic to another host, then it is highly recommended you disable forwarding. The default is to disable forwarding.
[edit] FW_IPV6_FORWARD
This option enables and disable IPv6 forwarding. If your system is not forwarding traffic to another host, then it is highly recommended you disable forwarding. The default is to disable forwarding.
[edit] FW_PROXY_ARP
Enable/Disable proxy arp. It is recommend you not enable this, and leave the default setting of "no". Unless your system is acting as a layer two bridge, you will not need to proxy ARP packets. Enabling this if you are not bridging may result in unexpected networking side effects.
[edit] FW_RP_FILTER
Enable/Disable rp_filter. This option controls the Reverse Path Filtering capability in netfilter. This controls whether a response packet is allowed to go out an interface that the request did not originate from. For example, if a system has two interfaces eth0 and eth1, and a packet comes in on eth0. If the system responded, and tried to send the request out eth1 if RP_FILTER was enabled this would be denied. This is to help prevent specific types of routing attacks as well as to restrict egress packets from the system. On systems with complex routing tables, and virtual interfaces this may cause problems as packets will not always exit the same interface they came in on. Therefore, the default is not to enable this. If you do enable this, you should test to make sure your systems configuration will work correctly with this type of restriction.
[edit] FW_SYN_COOKIES
Enable/Disable SYN cookies. This option controls the use of SYN cookies. This is a Denial of Service protection feature of netfilter, and we recommend you enable this option.
[edit] FW_TCP_ECN
Enable/Disable Excplicit Congestion Notification (ECN). This will allow you to enable/disable ECN.
There are three options:
Yes: Enable ECN
No: Disable ECN
Requested: Only use ECN if the client requests it. (Available in ASL 3.0.26)
For most systems, you should set this to Yes or Requested. We recommend you not disable this unless you know how this will effect your system.
[edit] FW_TCP_TIMESTAMPS
Enable/Disable TCP timestamps. This will allow you to enable TCP timestamps which may help with the network performance and quality of some protocols.
For most systems, you should set this to Yes. We recommend you not disable this unless you know how this will effect your system.
[edit] FW_TCP_WINDOW_SCALING
Enable/Disable TCP Window Scaling. This will allow you to enable TCP Window scaling which may help with the network performance and quality of some protocols.
For most systems, you should set this to Yes. We recommend you not disable this unless you know how this will effect your system.
[edit] Advanced Firewall Rule Manager
The Advanced Rule Manager is designed to let you directly control the netfilter engine in Linux through an advanced GUI system. If you are not familiar with how advanced Linux firewalling works please use the Fast/Easy Mode for simple firewall changes.
[edit] Access the firewall rule manager
Step 1: Log into the ASL GUI
Step 2: Click on the Firewall Tab.
Step 3: Click on the firewall rules menu item.
This will open the firewall rules window.
[edit] Rule Types
Linux supports three types of firewall rules:
[edit] NAT
Network Address Translation Rules: These rules are used to change the source and/or destination of packets.
[edit] Mangle
This types of rules are used to modify or "mangle" packets before they are processed
[edit] Filter
These types of rules are used to filter or "block" packets. These are the most common rules and are probably the type of rule you want if you want to allow or block traffic to specific port.
[edit] Filter subtypes
[edit] INPUT
These are rules for traffic going to the server itself. These are the most common subtype, and are what you want if you are looking to allow traffic to a port, or to block traffic to a port.
[edit] OUTPUT
These are rules for traffic coming from the server itself. If you have created input rules that are stateful (checking the "stateful" checkbox), then you do not need to create OUTPUT rules for that traffic. The state engine will automatically handle outbound traffic from the server, and will automatically allow this traffic when needed.
These are also different from FORWARD rules. If you are forwarding traffic through your server to a different server, you do not need to create OUTPUT rules for that traffic. OUTPUT rules are only for traffic coming from the server itself. For example, if the server wants to initiate a connection to a mail server on a different server. That would require an OUTPUT rules. If the server was responding to traffic initiated from a different server, and there were stateful INPUT rules to allow that different server to talk to your server on that port, you would not need OUTPUT rules for that traffic.
[edit] FORWARD
This subtype is for all all other traffic that is not INPUT or OUTPUT. Specifically, this would be traffic that is passing through the server if the server were acting as a classic firewall for another system. FORWARD rules have nothing to do with the server itself.
[edit] Jump Targets
In Linux these tell the rule to jump to an action. This is a way of telling Linux what to do, such as to allow, deny or do something else if the rule is triggered.
[edit] ACCEPT
Accept the traffic. This will allow the traffic.
[edit] DROP
Silently drop the packet. The client will get no response from the server.
[edit] REJECT
Reject the packet. The client will get a reject at the TCP or UDP layer from the server.
[edit] Rule options
[edit] Using the firewall manager
[edit] Do not modify any ASL chains
Do not modify any chains with "ASL" in the name. For example, do not modify the "ASL-Firewall-INPUT" chain. This, and all other ASL-* chains are dynamically modified by ASL on the fly, and changes to these chains may have unpredictable effects and will not be saved by ASL. Your changes will likely be lost, at best, and at worst may cause your system to be unreachable.
If you want to make changes to your firewall, you may modify other chains, or add your own in whatever order you wish.
[edit] Adding a firewall rule
Step 1: Select the type of rule you want to add from the list above
Step 2: Select the subtype of the rule you want to add from the list above
Step 3: From the firewall rule manager, select the subtype. For example, to add a filter -> INPUT rule select "INPUT" under the filter tree branch.
this will pull up any INPUT rules you have on the system. To add a new rule select "Add Rule".
Step 4: Select the subtype by selecting it under "Chain". For example, if you want to add an INPUT rule select Table "filter", this should autoselect "INPUT". If it does not just select INPUT as the "Chain".
Step 5: Select the command, Append or Insert. In the Linux firewall, Append means to add the rule after all other rules. Linux firewalling is linear, that means it processes the rules in order "first come first served". Appending places it last. Insert places the rule first. With insert you can also set the rule number in case you prefer that the rule run second, third, etc. Be very careful with Insert as you can end up setting you rules up in the opposite order of what you want (for example, putting your drop rules before your allow rules).
Step 6: Select the protocol by clicking on the "n/a" drop down. The drop down before this allows you to add a "negative", for example if you want to add a rule to say "not tcp". If you want this rule to be for TCP, just select tcp in the drop down, and leave the first drop down as "-".
Step 7: Type in the source IP/Network for this rule. If you want to allow any network, just leave this blank.
Step 8: Type in the destination for this rule. If you are creating a rule for the server itself, for example to allow connections to a specific port, just leave this blank.
Step 9: Type in the source port. If you are a creating a rule to allow connections to the server from another server, leave this blank.
Step 10: Type in the Destination port. For example, if you want to allow connections to port 22, type in 22.
Step 11: Set the interface. If you want to set this rule for all interfaces, leave the default of "n/a".
Step 12: Set the "Jump Target". In the link this is sort of like the "action". You will see a number of options described above, such as ACCEPT, REJECT. Please see above for more information about these. In general, if you want to allow a connection, select "ACCEPT".
Step 13: Select Add Rule.
Your new rule is now implemented.
[edit] Per Port ACLs
These allow you to configure specific IP addresses and networks to be allowed access to specific ports, in a simple manner. For example you could create an access list for SSH that would only allow 3 IPs to connect. Or an access list for SMTP that only allows certain networks to connect, or any combination of these.
Access Control Lists (ACLs) are stored in this directory:
/etc/asl/firewall
To create a new access control system for a port:
Step 1) create a file in /etc/asl/firewall directory using the format in #2 below
Step 2) Naming convention for file is: INPUT-<name>-<protocol>-<port>-any-acl
example: INPUT-sshd-tcp-22-any-acl
Fields in filename you can change:
INPUT - this defines the chain it goes into, INPUT is the only supported chain right now. In the future we will add support for other chains.
name - an arbitrary alpha numeric name (a-z 0-9), this must be unique as this will be used to name the chain and you cant have duplicate chain names. Example: smtp1
protocol - any supported iptables protocol on the system that takes a port as an argument. Examples: tcp, udp
port - 1-65535
any - RESERVED (dont change this)
Step 3) list IP's, one per line in the file you create in #2 above.
1.2.3.4 5.6.7.8
Step 4) If you have defined it, remove the port number for the service from FW_INBOUND_SERVICES. If you allow a port in FW_INBOUND_SERVICES, that will override the ACL and make the allow global (anyone can connect to the port). If you want to use an ACL for a port, do NOT list the port in FW_INBOUND_TCP_SERVICES or FW_INBOUND_UDP_SERVICES.
Step 5) reload the firewall policy with:
/etc/init.d/asl-firewall restart
[edit] Examples
[edit] Using the Fast/Easy mode
[edit] How to block all incoming TCP connections except to certain ports
Step 1: Log into the ASL GUI
Step 2: Click the Configuration Tab
Step 3: Select the ASL Configuration menu option.
Step 4: Scroll down to Firewall configuration
Step 5: Enter the list of TCP ports you want to allow into the FW_INBOUND_TCP_SERVICES list.
Example:
21,22,25,80,110,143,443,993,995,8443,30000
Step 6: Click Update
Your new rule is now implemented.
[edit] Using the Advanced Firewall Manager
[edit] How to block all incoming connections to a TCP port
Step 1: Log into the ASL GUI
Step 2: Click the Firewall Tab
Step 3: Select the Firewall Rules menu option.
Step 4: Click the "Add Rule" button.
Step 5: For table, select filter.
Step 6: For Chain select "INPUT"
Step 7: For command select "Insert"
Step 6: For protocol select tcp in the drop down, and leave the first drop down as "-".
Step 7: Type in the source IP/Network for this rule. If you want to block all sources, just leave this blank.
Step 8: In the Destination port window type in the port number you wish to block. For example, if you want to block connections to port 22, type in 22. Leave the first drop down as "-".
Step 9: Set the "Jump Target" to "DROP" or "REJECT". DROP will silently block the attempt so the client is not sure why it was blocked, REJECT will send ICMP destination denied packets to the client applications network stack telling the stack that the connection was dropped at the network level.
Step 10: Then press the Add Rule button.
Your new rule is now implemented.
[edit] How to restrict all incoming connections to a TCP port except from a specific IP or network
This procedure will allow you to create a ruleset to restrict access to a port, except from specific IPs/networks.
Step 1: Log into the ASL GUI
Step 2: Click the Firewall Tab
Step 3: Select the Firewall Rules menu option.
Step 4: Click the "Add Rule" button.
Step 5: For table, select filter.
Step 6: For Chain select "INPUT"
Step 7: For command select "Insert"
Step 6: For protocol select tcp in the drop down, and leave the first drop down as "-".
Step 7: In the "Source:" field, type in the source IP/Network that you wish to allow access to this port.
Step 8: In the Destination port window type in the port number you wish to restrict access. For example, if you want to restrict connections to port 22, type in 22. Leave the first drop down as "-".
Step 9: Set the "Jump Target" to "ACCEPT", this will allow this IP and/or network to connect to this point.
Step 10: Then press the Add Rule button.
Step 11: Continue adding ACCEPT rules for all the IPs and/or networks you want to allow by repeating Steps 1-10.
Step 12: If you are done adding IPs and/or networks to allow, now you will add in your rule to block all other IPs/Networks. Click the "Add Rule" button.
Step 13: For table, select filter.
Step 14: For Chain select "INPUT"
Step 15: For command select "Append"
Step 16: For protocol select tcp in the drop down, and leave the first drop down as "-".
Step 17: Type in the source IP/Network for this rule. If you want to block all sources, just leave this blank.
Step 18: In the Destination port window type in the port number you wish to block. For example, if you want to block connections to port 22, type in 22. Leave the first drop down as "-".
Step 19: Set the "Jump Target" to "DROP" or "REJECT". DROP will silently block the attempt so the client is not sure why it was blocked, REJECT will send ICMP destination denied packets to the client applications network stack telling the stack that the connection was dropped at the network level.
Step 20: Then press the Add Rule button.
Your new ruleset to restrict access to a port, except from certain IPs/Networks is now implemented.
Your new rule is now implemented.
[edit] How to allow access to all ports from a single IP or network
This procedure will allow you to create a ruleset to restrict access to a port, except from specific IPs/networks.
Step 1: Log into the ASL GUI
Step 2: Click the Firewall Tab
Step 3: Select the Firewall Rules menu option.
Step 4: Click the "Add Rule" button.
Step 5: For table, select filter.
Step 6: For Chain select "INPUT"
Step 7: For command select "Insert"
Step 6: For protocol select all in the drop down, and leave the first drop down as "-".
Step 7: In the "Source:" field, type in the source IP/Network that you wish to allow access to all ports on the server.
Step 8: Set the "Jump Target" to "ACCEPT", this will allow this IP and/or network to connect to this point.
Step 9: Then press the Add Rule button.
Step 10: Continue adding ACCEPT rules for all the IPs and/or networks you want to allow by repeating Steps 1-9.
Your new rule is now implemented.
[edit] How to forward a port from the server to another system
This procedure will allow you to create a ruleset to forward a port to a remote system. Forwarding a port on Linux requeires that you creare two types of rules, PREROUTING and FORWARD rules.
First create the PREROUTING rules
[edit] PREROUTING RULES
Step 1: Log into the ASL GUI
Step 2: Click the Firewall Tab
Step 3: Select the Firewall Rules menu option.
On the left hand side you will see a window that is titled "Tables & Chains"
Step 4: Click on "PREROUTING" under "net"
Step 5: A new button will appear titled "Add". Click this button.
Step 6: (Optional) add in a comment for your custom rule for your records to help you identify this rule
Step 7: For action select "Insert"
Step 6: For protocol select the appropriate protocl for your service (e.g. TCP for HTTP) leave the first drop down blank.
Step 7: Select the local port you want to form (e.g. 21 for FTP)
Step 8: (Optional) Select the local IP you want to forward. If you do not select an IP, any connection to your local port on any IP will be forwarded to the remote system/port.
Step 8: In the "Jump target" dropdown select "DNAT". A new window will appear, "To destination".
Step 9: Set the destination IP.
Step 10: Then press the Add Rule button.
Move onto FORWARD RULES below.
[edit] FORWARD RULES
Step 1: Log into the ASL GUI
Step 2: Click the Firewall Tab
Step 3: Select the Firewall Rules menu option.
On the left hand side you will see a window that is titled "Tables & Chains"
Step 4: Click on "FORWARD" under "filter"
Step 5: A new button will appear titled "Add". Click this button.
Step 6: (Optional) add in a comment for your custom rule for your records to help you identify this rule
Step 7: For action select "Insert"
Step 6: For protocol select the appropriate protocl for your service (e.g. TCP for HTTP) leave the first drop down blank.
Step 7: Select the local port you want to form (e.g. 21 for FTP)
Step 8: (Optional) Select the local IP you want to forward. If you do not select an IP, this any connection to your local port on any IP will be forwarded to the remote system/port.
Step 9: Set the "Jump Target" to "ACCEPT".
Step 10: Then press the Add Rule button.
Step 11: Add the port you want to forward to your allowed ports list via this option. For example if you are forwarding port 21, add port 21 to this option:
Use this setting for TCP ports:
https://wiki.atomicorp.com/wiki/index.php/ASL_firewall#FW_INBOUND_TCP_SERVICES
Use this setting for UDP ports:
https://wiki.atomicorp.com/wiki/index.php/ASL_firewall#FW_INBOUND_UDP_SERVICES
Your new rule is now implemented.
[edit] Notes on FTP
See this article:
https://wiki.atomicorp.com/wiki/index.php/ASL_Troubleshooting#FTP_not_working
[edit] How to allow connections to a port
[edit] Fast Mode Method
To add TCP ports to the allowed inbound list, please see the FW_INBOUND_TCP_SERVICES option.
To add UDP ports to the allowed inbound list, please see the FW_INBOUND_UDP_SERVICES option.
[edit] Advanced Firewall Management Method
Step 1: Log into the ASL GUI
Step 2: Click the Firewall Tab
Step 3: Select the Firewall Rules menu option.
Step 4: Click the "Add Rule" button.
Step 5: For table, select filter.
Step 6: For Chain select "INPUT"
Step 7: For command select "Insert"
Step 6: Select the protocol. For example, for TCP select tcp in the drop down, and leave the first drop down as "-".
Step 7: Type in the source IP/Network for this rule. If you want to allow any network, just leave this blank.
Step 8: In the Destination port window type in the port number you wish to allow. For example, if you want to allow connections to port 22, type in 22. Leave the first drop down as "-".
Step 9: Set the "Jump Target" to "ACCEPT".
[edit] How to allow outbound connections to a port
[edit] Fast Mode Method
To add TCP ports to the allowed outbound list, please see the FW_OUTPUT_TCP_SERVICES option.
To add UDP ports to the allowed outbound list, please see the FW_OUTPUT_UDP_SERVICES option.
[edit] Advanced Firewall Management Method
Note: This is only necessary if you have setup either ASL or your firewall rules to only allow connections outbound to certain ports. By default ASL does not block any outbound ports.
Step 1: Log into the ASL GUI
Step 2: Click the Firewall Tab
Step 3: Select the Firewall Rules menu option.
Step 4: Click the "Add Rule" button.
Step 5: For table, select filter.
Step 6: For Chain select "OUTPUT"
Step 7: For command select "Insert"
Step 6: For protocol select tcp in the drop down, and leave the first drop down as "-".
Step 7: Type in the destination IP/Network for this rule. If you want to allow outbound connections on the port to any network or destination, just leave this blank.
Step 8: In the Destination port window type in the port number you wish to allow. For example, if you want to allow connections outbound port 25, type in 25. Leave the first drop down as "-".
Step 9: Set the "Jump Target" to "ACCEPT".
Step 10: Then press the Add Rule button.
Your new rule is now implemented.
[edit] Using the Advanced Firewall Manager and Fast/Easy Mode together
[edit] Restrict access to a specific port, except from specific IPs/networks
This procedure will allow you to create a ruleset to restrict access to a port, except from specific IPs/networks when you have blocked the port via Fast/Easy mode.
Step 1: Log into the ASL GUI
Step 2: Click the Firewall Tab
Step 3: Select the Firewall Rules menu option.
Step 4: Click the "Add Rule" button.
Step 5: For table, select filter.
Step 6: For Chain select "INPUT"
Step 7: For command select "Insert"
Step 6: For protocol select tcp in the drop down, and leave the first drop down as "-".
Step 7: In the "Source:" field, type in the source IP/Network that you wish to allow access to this port.
Step 8: In the Destination port window type in the port number you wish to restrict access. For example, if you want to restrict connections to port 22, type in 22. Leave the first drop down as "-".
Step 9: Set the "Jump Target" to "ACCEPT", this will allow this IP and/or network to connect to this point.
Step 10: Then press the Add Rule button.
Step 11: Continue adding ACCEPT rules for all the IPs and/or networks you want to allow by repeating Steps 1-10.
Step 12: If you are done adding IPs and/or networks to allow, and you used Fast/Easy mode to block the port, then your new ruleset to restrict access to a port, except from certain IPs/Networks is now implemented.
Your new rule is now implemented.
[edit] Frequently Asked Questions
[edit] How can I change the ASL-Firewall-INPUT rules?
These are generated based on your configuration of these settings:
https://www.atomicorp.com/wiki/index.php/ASL_firewall#Fast.2FEasy_Mode
[edit] How can I change the ASL-Firewall-OUTPUT rules?
These are generated based on your configuration of these settings:
https://www.atomicorp.com/wiki/index.php/ASL_firewall#Fast.2FEasy_Mode
[edit] Can I use a range of ports?
Yes, ranges are delimited with the colon, ":" symbol. The format for ranges is x:y, where x is the beginning of the range and y is the end. For example:
1024:65535
Would create a range of 1024 to 65535.
[edit] Will changes survive a reboot?
Yes, if you configure your firewall through the ASL web console your changes are saved by ASL.
[edit] Will my ASL firewall configuration survive an upgrade of ASL?
Check the release notes for the upgrade. If the notes do not mention an issue with retaining your firewall configuration between upgrades, then the configuration will survive an upgrade.
[edit] If I create an INPUT rule do I need to create an OUTPUT rule?
No, as long as you make the INPUT rule stateful (which is the default). You'll see a checkbox that says stateful, leave it checked and ASL will automatically manage whatever outbound packets that need to be let out. OUTPUT rules are not necessary with a stateful INPUT rule.
For example, if you allow traffic in on port 22 via an INPUT rule, you do not need to create an OUTPUT rule for port 22 if you have checked the stateful box (which is checked by default) when creating your rule.
[edit] How can the firewall be reset to its defaults?
You can reset your firewall rules to the defaults by running these commands as the root user (not via sudo):
cp /etc/asl/firewall/running.fw /root
rm /etc/asl/firewall/running.fw
service asl-firewall restart
NOTE: You can restore your custom firewall rules, only if you used the commands above to clear your firewall rules by running these commands as the root user:
cp /root/running.fw /etc/asl/firewall/running.fw
service asl-firewall restart
[edit] Logs
Please see the Firewall Logs article.