LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall
138
Firewall
If you operate a web server in your LAN, that has been permitted
access to this service from the outside (see ’The hiding place—IP
masquerading (NAT, PAT)’ →page74), stations from the Internet can
establish from the outside connections to this server. The inverse mas-
querading has priority over the Firewall in this case, as long as no
explicit "Deny All" rule has been set.
Set-up of an explicit "Deny All" strategy
For maximum protection and optimum control of the data traffic it is recom-
mended to prevent first any data transfer by the Firewall. Then only the nec-
essary functions and communication paths are allowed selectively. This offers
e.g. protection against so-called "Trojans" and/or e-mail viruses, which set up
actively an outgoing connection on certain ports.
Some typical applications are shown in the following.
All filters described here can be installed very comfortably with the
Firewall wizard, and if necessary be further refined with e.g.
LANconfig.
Deny All: The most important Firewall rule!
The Deny All rule is by far the most important rule to protect local networks. By this rule the
Firewall operates according to the principle: “All actions, which are not explicitly allowed,
remain forbidden!“ Only by this strategy the administrator can be sure not to have “forgotten”
an access method, because only those accesses exist, which have been opened explicitly by
himself.
We recommend to set up the Deny All rule before connecting the LAN via a LANCOM to the
Internet. Then you can analyse in the logging table (to start e. g. via LANmonitor), which con-
nection attempts have been blocked by the Firewall. With the help of this information the Fire-
wall and the “Allow rules“ can be gradually extended.