This section provides an introduction and overview of the Firewall Rules screenlocated at Firewall > Rules. This page lists the WAN ruleset to start with,which by default has no entries other than those for Block private networksand Block bogon networks if those options are active on the WAN interface,as shown in Figure Default WAN Rules.
Tip
Click 
the to the right of the Block private networks or Blockbogon networks rules to reach the WAN interface configuration page wherethese options can be enabled or disabled. SeeBlock Private Networks andBlock Bogon Networks for more details.
Click the LAN tab to view the LAN rules. By default, the only entries arethe Default allow LAN to any rules for IPv4 and IPv6 as seen in FigureDefault LAN Rules, and the Anti-Lockout Rule if it is active.The anti-lockout rule is designed to prevent administrators from accidentallylocking themselves out of firewall management services. Click next tothe anti-lockout rule to reach the page where this rule can be disabled.
See also
For more information on how the Anti-Lockout Rule works and how to disablethe rule, see Anti-lockout Rule andAnti-lockout.
To display rules for other interfaces, click their respective tabs. OPTinterfaces will appear with their descriptive names, so if the OPT1 interfacewas renamed DMZ, then the tab for its rules will also say DMZ.
To the left of each rule is a set of an indicator icons, including:
The action of the rule: pass (
), block (), or reject().Logging status: If logging is enabled for the rule,
is present.Advanced options: If the rule has any advanced options enabled, an
icon is present.
), block (
).
is present.Hovering the mouse cursor over any of these icons will display text explainingtheir meaning. The same icons are shown for disabled rules, except the icon andthe rule are a lighter shade of their original color.
Adding a firewall rule¶
To add a rule to the top of the list, click 
Add.
To add a rule to the bottom of the list, click 
Add.
Editing Firewall Rules¶
To edit a firewall rule, click 
to the right of the rule, or doubleclick anywhere on the line.
The edit page for that rule will load, and from there adjustments are possible.See Configuring firewall rules for more information on the options availablewhen editing a rule.
Reordering Firewall Rules¶
The order of the rules on an interface can be changed in two different ways:Drag-and-drop or select-and-click.
To reorder rules using the drag-and-drop method:
Move the mouse over the firewall rule to move, the cursor will change toindicate movement is possible.
Click and hold the mouse button down
Drag the mouse to the desired location for the rule
Release the mouse button
Click
Save to store the new rule order
Save to store the new rule orderWarning
Attempting to navigate away from the page after moving a rule, but beforesaving the order, will result in the browser presenting an error confirmingwhether or not to exit the page. If the browser navigates away from the pagewithout saving, the rule will still be in its original location.
To move rules in the list in groups or by selecting them first, use theselect-and-click method:
Select the rules to move
Note
Select rules by single clicking anywhere on their line or by checking thebox at the start of the row.
Click
on the row below where the rule should be moved.Tip
Hold Shift before clicking the mouse on
to move the rulebelow the selected rule instead of above.
on the row below where the rule should be moved.When moving rules using the select-and-click method, the new order is storedautomatically.
Copying Firewall Rules¶
To make a new rule that is similar to an existing rule, click 
to theright of the existing rule. The edit screen will appear with the existing rule’ssettings pre-filled, ready to be adjusted. When duplicating an existing rule,the new rule will be added directly below the original rule. For moreinformation about how to configure the new rule, see Configuring firewall rules.
To copy multiple rules:
Select the rules to copy
Note
Select rules by single clicking anywhere on their line or by checking thebox at the start of the row.
Click the
Copy button below the rule listThe firewall will open a new modal dialog with options to set before copying.
Select the Destination Interface
Select Convert interface definitions to automatically adjust the source ofthe rule to match the target interface, if necessary
Click
Paste to complete the operation
Warning
When copying rules to different interfaces, they may fall at the start or theend of the target interface rule list depending on the order of the interfacerules in the configuration. Be prepared to reorder the rules on the targetinterface before applying changes.
Deleting Firewall Rules¶
To delete a single rule, click 
to the right of the rule. Thefirewall will present a confirmation prompt before deleting the rule.
To delete multiple rules:
Select the rows to remove
Note
Select rules by single clicking anywhere on their line or by checking thebox at the start of the row.
Click the
Delete button below the rule listConfirm the action
Checking Rule Usage¶
The States column contains usage counters for each rule. It shows the numberof active states created by a rule and the amount of traffic consumed by thosestates.
Hovering the mouse over these counters shows additional detailed statistics.
Note
Though the firewall makes an effort to maintain these statistics, the valuescan reset over time depending on firewall ruleset reloads and other similaractions.
Clicking the value in this column will display a list of states created by therule.
Clearing States Created by a Rule¶
Click the 
icon to the right of a rule and then confirm the action toclear all active states created by that rule.
Note
This only affects states on this interface created by this rule directly. Itdoes not clear states on other interfaces where traffic may have exited thefirewall.
Disabling and Enabling Firewall Rules¶
To disable a rule, click 
at the end of its row. The appearance of therule will change to a lighter shade to indicate that it is disabled and the icon changes to 
.
To enable a rule which was previously disabled, click at theend of its row. The appearance of the rule will return to normal and theenable/disable icon will return to the original .
A rule may also be disabled or enabled by editing the rule and toggling theDisabled checkbox.
To disable or enable multiple rules at once:
Select the rules to disable
Note
Select rules by single clicking anywhere on their line or by checking thebox at the start of the row.
Click the
Toggle button below the rule list
Rule Separators¶
Firewall Rule Separators are colored bars in the ruleset that contain a smallbit of text, but do not take any action on traffic. They are useful for visuallyseparating or adding notes to special parts of the ruleset. FigureFirewall Rule Separators Example shows how they can be utilize to groupand document the ruleset.
To create a new Rule Separator:
Open the firewall rule tab where the Rule Separator will reside
Click
SeparatorEnter description text for the Rule Separator
Choose the color for the Rule Separator by clicking the
icon ofthe desired colorClick and drag the Rule Separator to its new location
Click
Save inside the Rule Separator to store its contentsClick
Save at the bottom of the rule list
Separator
icon ofthe desired colorTo move a Rule Separator:
Open the firewall rule tab containing the Rule Separator
Click and drag the Rule Separator to its new location
Click
Save at the bottom of the rule list
To delete a Rule Separator:
Open the firewall rule tab containing the Rule Separator
Click
inside the Rule Separator on the right sideClick
Save at the bottom of the rule list
Rule Separators cannot be edited. If a change in text or color is required,create a new Rule Separator and delete the existing entry.
Tracking Firewall Rule Changes¶
When a rule is created or updated the firewall records the user’s login name, IPaddress, and a timestamp on the rule to track who added and/or last changed therule in question. If the firewall automatically created the rule, that is alsonoted. This is done for firewall rules as well as port forwards and outbound NATrules. An example of a rule update tracking block is shown in FigureFirewall Rule Time Stamps, which is visible when editing afirewall rule at the very bottom of the rule editing screen.
