24. Network & Policy » Whitelist Template

Whitelists were implemented because Wanguard Filter could decide to block types of traffic that you don’t want to be blocked. By default, during inbound attacks, destination ports and destination IP addresses are blocked only in worst-case scenarios when no other attack pattern is found. In some cases though, it’s better to let potential malicious traffic enter the network in order to avoid the blocking of critical traffic.

You can add whitelist rules directly to each Filter defined in Configuration » Components, but if you need to add similar whitelist rules to multiple Filters it’s easier to add them to a Whitelist Template which can be used by multiple Filters.

WHITELIST_TEMPLATE_8.10.png

Every whitelist rule contains the following metrics:
Prefix – The whitelist rule is evaluated only when the anomaly IP address is included in the specified prefix. Any IPv4 address is matched by 0.0.0.0/0, any IPv6 address is matched by ::/0, any IP address is matched by /0
Decoder – Enter the decoder for which the whitelist rule applies, or All to match any decoder used by the anomaly
Rule Type – Choose between IP Address, Src Port TCP, Dst Port TCP, Src Port UDP, Dst Port UDP, ICMP Type, Packet Length, IP TimeToLive, IP Protocol
Operator – The operators for strings and numbers are equal and non-equal. The operators for numbers are less than and greater than. The operator equal can match IP Addresses in CIDR notation, port ranges written as <port_min>:<port_max>, and packet size ranges written as <pkt_size_min>:<pkt_size_max>
Rule Value – The user-defined value
FW Policy – When this parameter is Permit and Operator is equal, the Filter explicitly allows the matched traffic to pass through the Netfilter Firewall. Otherwise, a more generic filtering rule might take precedence over the whitelisted filtering rule
Comments – An optional description of the whitelist rule
For example, if your DNS server is attacked by spoofed addresses on port 53 UDP, the software might block traffic towards your DNS server on port 53 UDP, making it partially unreachable from the Internet. This case can be avoided with the whitelist rule: [Prefix = Your DNS Server, Decoder = ANY, Rule Type = Dst Port UDP, Operator = equal, Rule Value = 53, FW Policy = Permit]. The priority of the filtering rules can be configured in General Settings » Anomaly Mitigation.

Note

When a filtering rule matches a whitelist rule, the filtering rule will be reported with a white flag, but it won’t be applied to any firewall.