Configuring the Firewall

Introduction

By default, the ENF firewall blocks all network traffic. The firewall must be configured to allow any required traffic. It is network security best-practice to configure the firewall to be as strict as possible.

Configuring the ENF firewall should be familar to anyone experienced with network firewalls boxes or AWS network ACLs. The rules specify the source and destintation addresses (subnet or specific IP), transport protocol (TCP, UDP, or ICMP), and source and destination ports for allowed traffic. The firewall is stateless, so you must configure separate rules for inbound (ingress) and outbound (egress) traffic.

Prerequisites

  • enfcli needs to be installed. For help, see the Getting Started Tutorial
  • Use must have an account with the domain administrator role.

Create Firewall Rules

For this example, we will create rules that allow any device in a \64 subnet to communicate with a server and the server to respond to the requests. The server in the example is running on port 8080. Note that in this configuration, devices cannot directly communicate with each other

  1. Start enfcli and login with an account that has the domain administrator role.
    > enfcli --host test.xaptum.io --user <domain.admin@mycompany.com>
    
  2. Allow egress from any subnet IP to the server IP.
    > firewall add-firewall-rule --action=ACCEPT --direction=EGRESS --network=<enf /64 network> --protocol=TCP --priority=200 --source-ip=<enf /64 network> --dest-ip=<server enf address> --dest-port=8080
    

    This allows outbound traffic from the devices to port 8080 of the server, but, at this point, the firewall blocks the server from receiving any messages.

  3. Allow ingress from any subnet IP to the server IP
    > firewall add-firewall-rule --action=ACCEPT --direction=INGRESS --network=<enf /64 network> --protocol=TCP --priority=200 --source-ip=<enf /64 network> --dest-ip=<server enf address> --dest-port=8080
    

    Now the firewall allows the server to receive messages, but only from the designated /64 subnet.

  4. Allow egress from the server to any address on the subnet.
    > firewall add-firewall-rule --action=ACCEPT --direction=EGRESS --network=<enf /64 network> --protocol=TCP --priority=200 --dest-ip=<enf /64 network> --source-ip=<server enf address> --source-port=8080
    

    The firewall is now configured to allow a response from the server, on port 8080, to the subnet. As above, the firewall does not yet allow the subnet devices to receive communication from the server.

  5. Allow ingress to any device on the subnet from the server.
    > firewall add-firewall-rule --action=ACCEPT --direction=INGRESS --network=<enf /64 network> --protocol=TCP --priority=200 --dest-ip=<enf /64 network> --source-ip=<server enf address> --source-port=8080
    

Didn't find what you were looking for?

Contact us and we’ll get back to you as soon as possible.

Contact Us