11.2. Network Objects¶
You can find the Network Objects Settings at Firewall → Network Objects.
An Network Object can be of one of the following types:
Hosts (Single IPs or Hostname)
Hosts (Network Range)
Ports
Mac Addresses
DNS Domain
You can have Network Objects in Network Objects but they have to be from the same type. Adding a Mac Address Network Object to a Port Network Object does not work. You are also not allowed to create cyclic structures like createing 2 Network Objects and add each of them to the other Network Object. This structure creates a loop and is not valid.
For Hosts you can also use hostnames (DNS entries) instead of IP Addresses. Be aware though that it is up to the service you use the Network Object in to resolve that hostname. You can change the order of the entries inside a Network Object via drag and drop once you saved them. The order is only cosmetical and has no influence on the Network Object.
Network Objects can be used in different places like firewall rules.
Network Objects for Interface IPs, Networks and Virtual IPs are automatically generated.
11.2.1. Hosts (Single IP)¶
You can enter Single IPs or other Network Objects with Single IPs. They can be IPv4 or IPv6.
You can also use hostnames (DNS entries) instead of IP Addresses.
11.2.1.1. Builtin Hosts¶
Name |
IPs |
---|---|
OSPF |
|
11.2.2. Hosts (Network Range)¶
You can enter Network Ranges or other Network Objects with Network Ranges. They can be IPv4 or IPv6.
11.2.2.1. Dynamic Block Lists¶
Here you can enable DBL and enter an URL. The Update Interval can be daily or hourly. Once configured a system job will run regularly and updates Network Object Entries with the data it gets from the URL.
11.2.2.2. Builtin Network Ranges¶
Name |
Network Range |
---|---|
LOOPBACK |
127.0.0.0/8 |
RFC1918_A |
10.0.0.0/8 |
RFC1918_B |
172.16.0.0/12 |
RFC1918_C |
192.168.0.0/16 |
MULTICAST |
224.0.0.0/4 |
RFC4193 |
fd00::/7 |
PrivateNetworks |
|
11.2.3. Ports¶
You can enter Ports or other Network Objects with Ports. You can also add built in ports.
11.2.3.1. Builtin Ports¶
Name |
Port |
---|---|
BGP |
179 |
CIFS |
3020 |
CITRIX-ICA |
1494 |
DNS |
53 |
DNS-TLS |
853 |
ESP |
4500 |
FTP |
21 |
FTP-DATA |
20 |
HTTP |
80 |
HTTPS |
443 |
IEC104 |
2404 |
IMAP |
143 |
IMAPSSL |
993 |
ISAKMP |
500 |
KERBEROS |
88 |
LDAP |
389 |
LDAPS |
636 |
LPD |
515 |
MODBUS |
502 |
NETBIOS-SSN |
139 |
NFS |
2049 |
OPENVPN |
1194 |
POP3 |
110 |
POP3S |
995 |
PPTP |
1723 |
RADIUS |
1812 |
RADIUS-ACCT |
1813 |
RSH |
514 |
RTSP |
554 |
SIP |
5060 |
SIP-TLS |
5061 |
SMTP |
25 |
SMTPTLS |
465 |
SMTPSSL |
587 |
SNMP |
161 |
SNMPTRAP |
162 |
SQLNET |
1522 |
SSH |
22 |
TELNET |
23 |
UUCP |
540 |
WHOIS |
43 |
11.2.4. Mac Addresses¶
You can also create Mac Address Network Objects. They are only used for source Mac Addresses in Firewall Rules. For Mac Addresses you can also use Dynamic Block Lists like described above. Be careful to use those as the source Mac Address is changed by L3 Routers.
11.2.5. DNS Domain¶
You can also create DNS Domain Network Objects. Three different types are supported:
Direct Subdomains (*.test.de)
All Subdomains (**.test.de)
Exact Match (www.test.de)
It is usually not possible to query all subdomains since most DNS servers do not allow zone transfers and therefore will not allow crawling all subdomains. The VT AIR Firewall will automatically learn the subdomains by observing the answers in the builtin DNS Server. Direct subdomains will only observe first level subdomains so www.test.de will be observerd but not test.www.test.de. The results are limited to 256 entries at which point the oldest entry will be removed and replaced by a newer one.
It is therefore important, that all clients behind the firewall use the firewalls DNS Server and not a third party DNS server. For the same reason, DNS Domain Network Objects can only be used as Destination in Global and Interface Firewall Rules.
The DNS Domain allows for dynamic adding of wildcard domains to firewall rules by observing DNS results.