The firewall modules protects the system services from exposure to the outside network. The firewall rules can be IP or subnet based in order to allow fine-grained ingress filtering.
Note: be careful when changing the firewall rules to avoid locking yourself out from the web-interface.
The intrusion detection module safeguards the system by actively blocking or warning when brute force log-in attempt is done. The system can block access to the web interface for a configurable period when too many log-in attempts are done. It is also possible to add the offending IP address to the blacklist and (optionally) warn the administrator about the event.
The system has IP based access control, either we accept every IP except the offenders listed in the black list or we block every IP except the IP or IP ranges listed in the white list. To disable subscribers access to the web management interface you can put the subscriber IP networks in the blacklists.
Both blacklist and whitelist tabs work in the same way. You can Add a single IP address by entering the same IP in start and end IP address. To specify a range enter the begin and end address. You can use the drop-down in the top-right corner to quickly enable the IP subnet associated with that interface.
The HSMX can be configured to log anything between nearly nothing and very verbose debug log-files. You can configure the logging facility under
Security → Log Settings. It's possible to send the log-files to a external syslog server. There are multiple sources defined within the HSMX from where a log-message can originate from:
Each log-message has a specific severity. Lower severity levels log more information but might overwhelm the administrator with unrelated information.
To view the log-files browse to
Tools → Logging → Syslog (read more).
Choose if the device needs to log user activity and specify what details need to be stored. You can send the logs to a remote server by enabling remote logging.
This setting will use an internal proxy server to log all URL's requested by subscribers. Only use this feature if it is allowed to log this information in your region. Using a proxy disables certain functionality such as QoS for web traffic or 1-to-1 NAT. URL logging will not work when subscribers set up a VPN connection (this is inherently impossible because of encryption).
Once DNS logging has been enabled all DNS requests on subscriber interfaces will be logged into the HSMX and visible in subscriber details. Optionally you can configure the number of subdomains that should be retained by HSMX.
Network policies are firewall rules for subscribers, they can be used to redirect, slow, deny or allow network traffic from and to a single subscriber device. To apply a network policy you can assign a rule or group of rules to a location or billing plan. When both a network-policy via billing-plan and location are applicable to a subscriber, the former take precedence (billing-plan over location).
You can do these action based on traffic type (TCP (+port) / UDP (+port) / ICMP and / or on a destination IP / subnet. You can group network policies by checking them and clicking the “add to group” link, this is needed if you want to apply multiple rules at the same time.
It's easier to explain how limiting works based on an example configuration: 3 connections per second with a burst of 5.
With this module you can manage the SSL certificate of the webserver. By default the system is loaded with the certificate for login.fdxtended.com, this is a valid certificate. In case you already have a certificate, you can use the 'enter SSL certificates manually' functionality. You can input the private / public key and the CA certificates. In case you still need to generate a certificate, click on generate CSR to create a certificate signing request, with this CSR you can buy a SSL certificate from a known certificate authority.
If a valid SSL certificate is uploaded you can enable the following options: