Chapter 15 Firewall Configuration
2Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service?
3Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective?
4Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers.
5Does this rule conflict with any existing rules?
6Once these questions have been answered, adding rules is simply a matter of plugging the information into the correct fields in the web configurator screens.
15.3.3Key Fields For Configuring Rules
15.3.3.1 Action
Should the action be to Drop, Reject or Permit?
"“Drop” means the firewall silently discards the packet. “Reject” means the firewall discards packets and sends an ICMP
15.3.3.2Service
Select the service from the Service scrolling list box. If the service is not listed, it is necessary to first define it. See Appendix F on page 417 for more information on predefined services.
15.3.3.3 Source Address
What is the connection’s source address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet?
15.3.3.4 Destination Address
What is the connection’s destination address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet?
15.4 Connection Direction
This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN.
LAN to LAN/ Router, WAN to WAN/ Router and DMZ to DMZ/ Router rules apply to packets coming in on the associated interface (LAN, WAN or DMZ respectively). LAN to LAN/ Router means policies for
| 209 |
|
|