Principle of operation
 

UserGate’s built-in Firewall, being a part of UserGate’s NAT driver, is designed to handle network traffic according to predefined rules. To create a rule for the Firewall, please specify the source and destination addresses, the service (a protocol-port pair) and either “Permit” or “Forbid” as the action in the Firewall rule. The rule type is defined automatically according to specified parameters. Supported Firewall rule types are: translation rule (NAT), Routing, and Firewall (FW).

By default, only one rule is available in the Firewall – the #NONUSER# rule, which allows or forbids all the network incoming and outgoing traffic. If you specify “Forbid” for this rule, UserGate Firewall will block all incoming and outgoing packets except the transit packets. This is the best way in the case when UserGate Server is installed on a single computer.

However, if the computer with UserGate installed is a workstation that provides Internet services access, you should also create permissive rules in the Firewall settings. These rules will be placed above the #NONUSER# rule. All Firewall rules are scanned in sequence of the rules list: from top to down. The first applicable rule of the list is used and other rules are not scanned. Moving a rule up or down on the list changes its priority higher or lower respectively.

UserGate services, such as proxy servers and port definitions, can also generate Firewall auto rules. For example these rules are created, when you run a proxy and maintain the proxy operation for LAN users; these are the permissive rules. Auto rules are not represented in the rules list; you can remove them only by disabling its corresponding proxy or port definition. Nevertheless, a UserGate administrator can block a permissive auto-rule by creating an appropriate prohibitive rule and placing it at the top of the rules list.