Nexapp - Rule

Rules

Firewall rules control how traffic is allowed, blocked, or monitored between different network zones. NexappOS uses zones to separate trusted internal networks from untrusted external networks (such as the Internet) and applies policies based on the rules you define.

Rules are evaluated top to bottom. The first matching rule wins, so ordering is critical to achieving the intended security behavior.

Rule Tabs

The Rules page is divided into three tabs, each dedicated to a specific traffic direction:

Forward Rules

Controls traffic moving between zones.
Example: LAN → WAN, LAN → DMZ, VPN → LAN.

Use this tab to define how internal, guest, DMZ, and VPN networks talk to each other.

Input Rules

Controls traffic destined to the NexappOS unit itself.
Example: allowing HTTPS management on port 9090 from LAN.

Use this tab to protect and limit access to services running on the gateway.

Output Rules

Controls traffic originating from NexappOS toward other zones.
Example: DNS queries, updates, monitoring traffic.

Use this tab to restrict or allow services started by the unit.

Add a New Rule

Click Add rule in the desired tab to create a new policy.
Complete the following fields:

  • Status
    Enable or disable the rule.
    New rules are enabled by default.

  • Rule name
    Provide a clear, descriptive label.
    Example: Allow_LAN_to_WAN_HTTP, Block_Guest_to_LAN.

  • Source address
    Define where traffic comes from:

    • enter IPv4/IPv6 addresses, CIDR networks, or IP ranges
    • choose a firewall object
    • select Any

    Not available in Output rules because the source is always NexappOS.

  • Source zone
    Select the originating zone (LAN, WAN, Guest, DMZ, VPN, etc.) or choose Any.

  • Destination address
    Define where traffic is going:

    • enter IPv4/IPv6 addresses, CIDR networks, or IP ranges
    • choose a firewall object
    • select Any

    Not available in Input rules because the destination is always NexappOS.

  • Destination zone
    Select the target zone.
    Source and destination zones cannot be the same.

  • Destination service
    Choose a predefined service or select Custom to specify ports and protocol manually.

  • Action
    Decide what NexappOS does when traffic matches:

    • Accept — allow traffic
    • Reject — block and notify sender
    • Drop — block silently (no sender notification)

  • Rule position
    Choose where to place the rule in the list:

    • Top (higher priority)
    • Bottom (lower priority)

  • Logging
    Enable logging for matching packets.
    Logged entries include the rule name as a prefix.

    Default rate: 1 log/sec per rule.
    Adjust limits if needed (see below).

  • Tags (optional)
    Add tags for organization and filtering.
    The tag automated is reserved for system-generated rules.

Logging Limits

Logging can be enabled on: - zones
- firewall rules
- redirect rules (port forwards)

To prevent performance issues, NexappOS applies default log rate limits:

  • Firewall rules: 1 log entry/second
  • Zones: 5 log entries/second
  • Redirect rules: 1 log entry/second

Change Default Logging Limits

Warning
Increasing log limits can affect system performance.
Change only when necessary.

Default values are stored under the ns_defaults firewall configuration:

  • zone_log_limit
  • rule_log_limit
  • redirect_log_limit

Example: increase zone logging to 10 logs/sec:

uci set firewall.ns_defaults.zone_log_limit="10/s"
uci commit firewall

Apply new defaults:

firewall-apply-default-logging

Previous page: NAT Next page: Traffic Objects and Services

::contentReference[oaicite:0]{index=0}
Discard
Save
Draft
This page has been updated since your last edit. Your draft may contain outdated content. Load Latest Version

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on