UniFi Gateways - Introduction to Firewall Rules

We generally recommend Traffic Rules instead of Firewall Rules for most users. Traffic Rules work by creating firewall rules, however they are packaged into an intuitive interface that streamlines the creation of common use-cases. Traditional firewall rules should be reserved for niche cases required by those with extensive networking goals.

Introduction

UniFi pre-configures certain rules to enable local network traffic, while preventing certain potentially dangerous internet traffic. UniFi will configure similar rules for each additional network that you add. 

Firewall rules are executed in order of the Rule Index. A lower number (top of the list) means that the rule is processed before the other rules. When creating a new rule, you can choose to apply it before or after the predefined rules. It is important to be aware of this index because incorrect placement may create the perception of a rule "not working".

 

Defining Rule Parameters

The rules are grouped based on the type of network that they apply to. The following network types are used:

  • Internet Contains IPv4 firewall rules that apply to the Internet network.
  • LAN Contains IPv4 firewall rules that apply to the LAN (Corporate) network.
  • Guest Contains IPv4 firewall rules that apply to the Guest network.
  • Internet v6 Contains IPv6 firewall rules that apply to the Internet network.
  • LAN v6 Contains IPv6 firewall rules that apply to the LAN (Corporate) network.
  • Guest v6 Contains IPv6 firewall rules that apply to the Guest network.

 Besides the network type, the firewall rules also apply to a direction. The following directions are used:

  • Local Applies to traffic that is destined for the UDM/USG itself.
  • In Applies to traffic that is entering the interface (ingress), destined for other networks.
  • Out Applies to traffic that is exiting the interface (egress), destined for this network.

For example, firewall rules configured under LAN In will apply to traffic from the LAN (Corporate) network, destined for other networks. Firewall rules configured under LAN Local will apply to traffic from the LAN (Corporate) network, destined for the UDM/USG itself.

In addition to a direction or network type, the firewall rules can also be matched to a state:

  • New The incoming packets are from a new connection.
  • Established The incoming packets are associated with an already existing connection.
  • Related The incoming packets are new, but associated with an already existing connection.
  • Invalid The incoming packets do not match any of the other states.

For example, the predefined Internet Local and Internet In firewall rules ensure that outside connection attempts from the Internet cannot access the UDM/USG and the LAN network behind it. However, the UDM/USG and the LAN network can reach destinations on the Internet and the return traffic is allowed back. The predefined Internet Local and Internet In firewall rules are:

Rule Index: 3001
Enabled: Yes
Description: allow established/related sessions (see states above)
Action: Accept
Protocol: All
Type: Internet In and Internet Local
Rule Index: 3002
Enabled: Yes
Description: drop invalid state (see states above)
Action: Drop
Protocol: All
Type: Internet In and Internet Local

 

Was this article helpful?
812 out of 1467 found this helpful