Policy Configuration : Understanding the Network Access Rules Hierarchy
Understanding the Network Access Rules Hierarchy
To determine whether packets are allowed through the SonicWALL firewall appliance, each SonicWALL checks the destination IP address, source IP address, and port against the firewall rules.
* 
NOTE: Firewall rules take precedence over the default Firewall functions. Because it is possible to disable all protection or block all access to the Internet, use caution when creating or deleting network access rules. Network access rules do not disable protection from Denial of Service attacks such as SYN Flood, Ping of Death, LAND, and so on. However, it is possible to create vulnerabilities to attacks that exploit application weaknesses.
It is important to consider the purpose and ramifications of a rule before adding it to the firewall rule list. Use the following guidelines to determine the rule logic:
What is the purpose of the rule? For example, “This rule will restrict all Internet Relay Chat (IRC) access from the LAN (WorkPort) to the Internet.” Or, “This rule will allow a remote Lotus Notes server to synchronize with our internal Notes server through the Internet.
Does the rule allow or deny traffic?
What is the flow of the traffic: LAN (WorkPort) to Internet or Internet to LAN (WorkPort)?
Which IP services are affected?
Which computers on the LAN (WorkPort) are affected?
Which computers on the Internet are affected? Be as specific as possible. For example, if traffic is being allowed from the Internet to the LAN (WorkPort), it is better to only allow specific computers to access the LAN or WorkPort.
After determining the logic of the rule, consider the ramifications:
Does this rule stop LAN (WorkPort) users from accessing important resources on the Internet? For example, if IRC is blocked, are there users who require this service?
Can the rule be modified to be more specific? For example, if IRC is blocked for all users, is a rule that only blocks certain users more effective?
Does this rule allow Internet users to access LAN or WorkPort resources in a way that makes the LAN vulnerable? For example, if NetBIOS ports (UDP 137,138, 139) are allowed from the Internet to the LAN, Internet users might be able to connect to PCs that have file sharing enabled.
Does this rule conflict with other rules?
The rule hierarchy uses two basic concepts:
Specific rules override general rules.
Equally specific Deny rules override Allow rules.
For example: a rule defining a specific service is more specific than the Default rule; a defined Ethernet link, such as LAN (WorkPort), or WAN, is more specific than * (all); and a single IP address is more specific than an IP address range.
Rules are listed in the LAN (WorkPort) Interface window from most specific to the least specific, and rules at the top override rules listed below.
To illustrate this, consider the rules shown below:
 
Table 31. Sample Rules.
#
Action
Service
Source
Destination
1
Deny
Chat (IRC)
206.18.25.4 (LAN)
148.178.90.55 (WAN)
2
Allow
Ping
199.2.23.0 - 199.2.23.255 (WAN)
206.18.25.4 (LAN)
3
Deny
Web (HTTP)
216.37.125.0 - 216.37.125.255 (WAN)
*
4
Allow
Lotus Notes
WAN
LAN (WorkPort)
5
Deny
News (NNTP)
LAN (WorkPort)
*
6
Deny
Default
*
LAN (WorkPort)
7
Allow
Default
LAN (WorkPort)
*
The Default Allow Rule (#7) at the bottom of the page allows all traffic from the LAN (WorkPort) out to the WAN. However, Rule #5 blocks all NNTP traffic from the LAN (WorkPort).
The Default Deny Rule (#6) blocks traffic from the WAN to the LAN (WorkPort). However, Rule #4 overrides part of this rule by allowing Lotus Notes into the LAN (WorkPort) from the WAN.