11.2. Network Objects

You can find the Network Objects Settings at Firewall → Network Objects.

An Network Object can be of one of the following types:

  • Hosts (Single IPs or Hostname)

  • Hosts (Network Range)

  • Ports

  • Mac Addresses

  • DNS Domain

You can have Network Objects in Network Objects but they have to be from the same type. Adding a Mac Address Network Object to a Port Network Object does not work. You are also not allowed to create cyclic structures like createing 2 Network Objects and add each of them to the other Network Object. This structure creates a loop and is not valid.

For Hosts you can also use hostnames (DNS entries) instead of IP Addresses. Be aware though that it is up to the service you use the Network Object in to resolve that hostname. You can change the order of the entries inside a Network Object via drag and drop once you saved them. The order is only cosmetical and has no influence on the Network Object.

Network Objects can be used in different places like firewall rules.

Network Objects for Interface IPs, Networks and Virtual IPs are automatically generated.

11.2.1. Hosts (Single IP)

You can enter Single IPs or other Network Objects with Single IPs. They can be IPv4 or IPv6.

You can also use hostnames (DNS entries) instead of IP Addresses.

11.2.1.1. Builtin Hosts

Name

IPs

OSPF

  • 224.0.0.5

  • FF02::5

  • 224.0.0.6

  • FF02::6

11.2.2. Hosts (Network Range)

You can enter Network Ranges or other Network Objects with Network Ranges. They can be IPv4 or IPv6.

11.2.2.1. Dynamic Block Lists

Here you can enable DBL and enter an URL. The Update Interval can be daily or hourly. Once configured a system job will run regularly and updates Network Object Entries with the data it gets from the URL.

11.2.2.2. Builtin Network Ranges

Name

Network Range

LOOPBACK

127.0.0.0/8

RFC1918_A

10.0.0.0/8

RFC1918_B

172.16.0.0/12

RFC1918_C

192.168.0.0/16

MULTICAST

224.0.0.0/4

RFC4193

fd00::/7

PrivateNetworks

  • RFC1918_A

  • RFC1918_B

  • RFC1918_C

  • RFC4193

11.2.3. Ports

You can enter Ports or other Network Objects with Ports. You can also add built in ports.

11.2.3.1. Builtin Ports

Name

Port

BGP

179

CIFS

3020

CITRIX-ICA

1494

DNS

53

DNS-TLS

853

ESP

4500

FTP

21

FTP-DATA

20

HTTP

80

HTTPS

443

IEC104

2404

IMAP

143

IMAPSSL

993

ISAKMP

500

KERBEROS

88

LDAP

389

LDAPS

636

LPD

515

MODBUS

502

NETBIOS-SSN

139

NFS

2049

OPENVPN

1194

POP3

110

POP3S

995

PPTP

1723

RADIUS

1812

RADIUS-ACCT

1813

RSH

514

RTSP

554

SIP

5060

SIP-TLS

5061

SMTP

25

SMTPTLS

465

SMTPSSL

587

SNMP

161

SNMPTRAP

162

SQLNET

1522

SSH

22

TELNET

23

UUCP

540

WHOIS

43

11.2.4. Mac Addresses

You can also create Mac Address Network Objects. They are only used for source Mac Addresses in Firewall Rules. For Mac Addresses you can also use Dynamic Block Lists like described above. Be careful to use those as the source Mac Address is changed by L3 Routers.

11.2.5. DNS Domain

You can also create DNS Domain Network Objects. Three different types are supported:

  • Direct Subdomains (*.test.de)

  • All Subdomains (**.test.de)

  • Exact Match (www.test.de)

It is usually not possible to query all subdomains since most DNS servers do not allow zone transfers and therefore will not allow crawling all subdomains. The VT AIR Firewall will automatically learn the subdomains by observing the answers in the builtin DNS Server. Direct subdomains will only observe first level subdomains so www.test.de will be observerd but not test.www.test.de. The results are limited to 256 entries at which point the oldest entry will be removed and replaced by a newer one.

It is therefore important, that all clients behind the firewall use the firewalls DNS Server and not a third party DNS server. For the same reason, DNS Domain Network Objects can only be used as Destination in Global and Interface Firewall Rules.

The DNS Domain allows for dynamic adding of wildcard domains to firewall rules by observing DNS results.