Remote Access

On this page, there is a list of all active firewall rules and access restrictions. You may specify custom rules, which are supposed to be used for granting access to listening ports of additionally installed modules.

Access restriction settings

In the Access restriction settings panel, you can choose which IP addresses can access the Flowmon appliance using protocols HTTP, HTTPS, and SSH. To be granted access to the appliance:

• The list of access restrictions must be empty, or

• Your host IP address must be listed, or

• Your host IP address must belong to one of the listed (sub)network IP addresses.

Every access restriction entry specifies a host IP address or a (sub)network IP address that is allowed to access the Flowmon appliance. By default, these settings apply only to protocols HTTP and HTTPS. If you want to connect to the appliance using the SSH protocol, the SSH switch has to be set to ACCEPT in the Active firewall rules section (below) too.

You can edit or delete restrictions using Edit and Delete. Click New IP address or subnet to add a new restriction. Restricting both IPv4 and IPv6 addresses and their (sub)networks is supported.

Other protocols (ICMP, SNMP, and so on) are not affected by access restriction settings. Custom rules defined by users are also not affected by access restriction settings. Both are applied globally - to all incoming connections, based only on the configuration in Active firewall rules.

Active firewall rules

The Active firewall rules panel shows all active firewall rules. You can turn these rules and the corresponding agents on or off by toggling the ACCEPT/REJECT switch. The ACCEPT value means that all connection attempts meeting the rule's criteria will be allowed to pass through the firewall. The REJECT value does not allow such connection attempts to pass. User-defined rules always begin with the prefix USER. Rules beginning with the prefix FMC source correspond with flow sources configured on the Sources page. This prefix is followed by the name of the source.

Switches for HTTP and HTTPS are always disabled:

• in state ACCEPT when no IP addresses are set in Access restriction settings or

• in state REJECT when one or more IP addresses are set in Access restriction settings.

Users cannot change this configuration. The only way to control access to the appliance using HTTP and HTTPS is to set allowed addresses or ranges in access restriction settings.

The switch for SSH is enabled and changes behavior based on the content of Access restriction settings:

• when no IP addresses are set in Access restriction settings,

  • in state ACCEPT, all connection attempts will pass through the firewall,

  • in state REJECT, no connection attempts will pass through the firewall,

• when one or more IP addresses are set in Access restriction settings,

  • in state ACCEPT, connection attempts from listed IP addresses or address ranges will pass through the firewall,

  • in state REJECT, no connection attempts will pass through the firewall.

All other rules behave independently and do NOT take into account the content of Access restriction settings:

• in state ACCEPT, all connection attempts will pass through the firewall or

• in state REJECT, no connection attempts will pass through the firewall.

You can define your own rules and allow the listening ports of additionally installed modules by clicking on New rule. In the pop-up window, fill in the fields Action, L4 Protocol, Dest Port[:Port], and Note. The L4 Protocol field should be filled with the protocol code (for example, TCP or UDP). In the Dest Port[:Port] field, enter the number of the destination port. If you need to specify a port interval, type the first port number, then a colon, and the last port number without spaces (for example, "7000:7999"). Enter the rule label in the Note field.