Network Access Rules Page 127
10 Network Access RulesNetwork Access Rules are management tools that allow you to define inbound and outbound access
policy, configure user authentication, and enable remote management of the SonicWALL.
By default, the SonicWALL’s stateful packet inspection allows all communication from the LAN to
the Internet, and blocks all traffic to the LAN from the Internet. The following behaviors are defined
by the “Default” stateful inspection packet rule enabled in the SonicWALL:
• Allow all sessions originating from the LAN to the WAN and DMZ.
• Allow all sessions originating from the DMZ to t he WAN.
• Allow all sessi ons or igi nat i ng from the W AN to the DMZ.
• Den y all sessions origin ating from the WAN a nd DMZ to the LAN.
Additional Network Access Ru les can be defined to extend or override the defau lt rules. For example,
rules can be created that block certain types of traffic such as IRC fro m the LAN to the WAN, or allow
certain types of traffic, such as Lotus Not es database synchron ization, from specific host s on the
Internet to specific hosts on the LAN, o r rest rict u se o f certain prot ocols su ch as T elnet to authori zed
users on the LAN.
The custom rules evaluate network traffic source IP address, destination IP address, IP protocol
type, and compare the information to rules created on the SonicWALL. Network Access Rules take
precedence, and can override th e SonicWALL’s stateful packet inspection. For example, a rule that
blocks IRC traffic takes precedence over the SonicWALL default setting of allowing this type of
traffic.
Alert The ability to define Network Access Rules is a very powerful tool. Using custom rules can
disable firewall protection or block all access to the Internet. Use caution when creating or deleting
Network Access Rules.
Viewing Network Access Rules
The Services window displays a table of define d Netw ork Ac cess Rule s. Ru les are sorte d from the
most specific at the top, to less specific at the bottom of the table. At the bottom of the table is the
Default rule. The Default rule is all IP services excep t those listed in the Services window. Rules can
be created to override t he b ehav ior of the Default rule; for e xample, the Default rule a llows use rs on
the LAN to access all Intern et services, including NNTP News . However, LAN access to NNTP can be
unblocked by deselecting LAN Out corresponding to the NNTP News service.