This chapter provides an overview on your SonicWALL security appliance stateful packet
inspection default access rules and configuration examples to customize your access rules to meet your business requirements.
Access rules are network management tools that allow you to define inbound and outbound
access policy, configure user authentication, and enable remote management of the SonicWALL security appliance.
The SonicOS
Firewall > Access Rules
page provides a sortable access rule management interface. The subsequent sections provide high-level overviews on configuring access rules by zones and configuring bandwidth management using access rules:
By default, the SonicWALL security appliance’s stateful packet inspection allows all
communication from the LAN to the Internet, and blocks all traffic to the LAN from the Internet. The following behaviors are defined by the “Default” stateful inspection packet access rule enabled in the SonicWALL security appliance:
Additional network access rules can be defined to extend or override the default access rules.
For example, access rules can be created that allow access from the LAN zone to the WAN Primary IP address, or block certain types of traffic such as IRC from the LAN to the WAN, or allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN, or restrict use of certain protocols such as Telnet to authorized users on the LAN.
Custom access rules evaluate network traffic source IP addresses, destination IP addresses,
IP protocol types, and compare the information to access rules created on the SonicWALL security appliance. Network access rules take precedence, and can override the SonicWALL security appliance’s stateful packet inspection. For example, an access rule that blocks IRC traffic takes precedence over the SonicWALL security appliance default setting of allowing this type of traffic.
Bandwidth management (BWM) allows you to assign guaranteed and maximum bandwidth to
services and prioritize traffic on all BWM-enabled interfaces. Using access rules, BWM can be applied on specific network traffic. Packets belonging to a bandwidth management enabled policy will be queued in the corresponding priority queue before being sent on the bandwidth management-enabled interface. All other packets will be queued in the default queue and will be sent in a First In and First Out (FIFO) manner (a storage method that retrieves the item stored for the longest time).
If you create an access rule for outbound mail traffic (such as SMTP) and enable bandwidth
management with the following parameters:
The outbound SMTP traffic is guaranteed 20% of available bandwidth available to it and can
get as much as 40% of available bandwidth. If SMTP traffic is the only BWM enabled rule:
Now consider adding the following BWM-enabled rule for FTP:
When configured along with the previous SMTP rule, the traffic behaves as follows:
|
|
Note
|
When the Bandwidth Management Type on the
Firewall Services > BWM
page is set to WAN
: Access rules using bandwidth management have a higher priority than access rules not using bandwidth management. Access rules without bandwidth management are given lowest priority. When the Bandwidth Management Type is set to Global
, the default priority is Medium (4).
|
|
|
Tip
|
You must configure Bandwidth Management individually for each interface on the
Network
> Interfaces
page. Click the Configure
icon for the interface, and select the Advanced
tab. Enter your available egress and ingress bandwidths in the Available interface Egress
Bandwidth
(Kbps
) and Available interface Ingress Bandwidth
(Kbps
) fields, respectively.
This applies when the Bandwidth Management Type on the Firewall Services > BWM
page is set to either WAN
or Global
.
|
This section provides a list of the following configuration tasks:
Access rules can be displayed in multiple views using SonicOS Enhanced. You can select the
type of view from the selections in the View Style
section. The following View Styles
are available:
|
|
•
|
All Rules
- Select All Rules
to display all access rules configured on the SonicWALL security appliance.
|
|
|
•
|
Matrix
- Displays as From/To
with LAN
, WAN
, VPN
, or other interface in the From
row, and LAN
, WAN
, VPN
, or other interface in the To
column. Select the Edit
icon in the table cell to view the access rules.
|
|
|
•
|
Drop-down Boxes
- Displays two pull-down menus: From Zone
and To Zone
. Select an interface from the From Zone
menu and select an interface from the To Zone
menu. Click OK
and access rules defined for the two interfaces are displayed.
|
Each view displays a table of defined network access rules. For example, selecting
All Rules
displays all the network access rules for all zones.
To display the
Access Rules
for a specific zone, select a zone from the Matrix
, Drop-down
Boxes
, or All Rules
view.
The access rules are sorted from the most specific at the top, to less specific at the bottom of
the table. At the bottom of the table is the Any
rule. The default access rule is all IP services except those listed in the Access Rules
page. Access rules can be created to override the behavior of the Any
rule; for example, the Any
rule allows users on the LAN to access all Internet services, including NNTP News.
You can change the priority ranking of an access rule by clicking the
Arrows
icon in the Priority column. The Change Priority window is displayed. Enter the new priority number (1-10) in the Priority
field, and click OK
.
|
|
Tip
|
If the
Delete
or Edit
icons are dimmed (unavailable), the access rule cannot be changed or deleted from the list.
|
To add access rules to the SonicWALL security appliance, perform the following steps:
|
Step 1
|
Click
Add
at the bottom of the Access Rules
table. The Add Rule
window is displayed.
|
|
Step 2
|
In the
General
tab, select Allow
| Deny | Discard
from the Action
list to permit or block IP traffic.
|
|
Step 8
|
From the
Users Allowed
menu, add the user or user group affected by the access rule.
|
|
Step 11
|
The
Allow Fragmented Packets
check box is enabled by default. Large IP packets are often divided into fragments before they are routed over the Internet and then reassembled at a destination host. One reason to disable this setting is because it is possible to exploit IP fragmentation in Denial of Service (DoS) attacks.
|
|
Step 16
|
Select
Create a reflexive rule
if you want to create a matching access rule to this one in the opposite direction--from your destination zone or address object to your source zone or address object.
|
|
Step 17
|
Click on the
QoS
tab if you want to apply DSCP or 802.1p Quality of Service management to traffic governed by this rule. See “802.1p and DSCP QoS”
for more information on managing QoS marking in access rules.
|
|
Step 18
|
Under
DSCP Marking Settings
select the DSCP Marking Action
. You can select None
, Preserve
, Explicit
, or Map
. Preserve
is the default.
|
|
|
–
|
None
: DSCP values in packets are reset to 0.
|
|
|
–
|
Preserve
: DSCP values in packets will remain unaltered.
|
|
|
–
|
Explicit
: Set the DSCP value to the value you select in the Explicit DSCP Value
field. This is a numeric value between 0 and 63. Some of the standard values are:
|
|
|
•
|
0
- Best effort/Default (default)
|
|
|
•
|
10
- Class 1, Gold (AF11)
|
|
|
•
|
12
- Class 1, Silver (AF12)
|
|
|
•
|
14
- Class 1, Bronze (AF13)
|
|
|
•
|
18
- Class 2, Gold (AF21)
|
|
|
•
|
20
- Class 2, Silver (AF22)
|
|
|
•
|
22
- Class 2, Bronze (AF23)
|
|
|
•
|
26
- Class 3, Gold (AF31)
|
|
|
•
|
27
- Class 3, Silver (AF32)
|
|
|
•
|
30
- Class 3, Bronze (AF33)
|
|
|
•
|
34
- Class 4, Gold (AF41)
|
|
|
•
|
36
- Class 4, Silver (AF42)
|
|
|
•
|
38
- Class 4, Bronze (AF43)
|
|
|
•
|
40
- Express Forwarding
|
|
|
•
|
46
- Expedited Forwarding (EF)
|
|
|
–
|
Map
: The QoS mapping settings on the Firewall > QoS Mapping
page will be used. See “802.1p and DSCP QoS”
for instructions on configuring the QoS Mapping. If you select Map, you can select Allow 802.1p Marking to override DSCP
values
.
|
|
Step 19
|
Under
802.1p Marking Settings
select the 802.1p Marking Action
. You can select None
, Preserve
, Explicit
, or Map
. None
is the default.
|
|
|
–
|
None
: No 802.1p tagging is added to the packets.
|
|
|
–
|
Preserve
: 802.1p values in packets will remain unaltered.
|
|
|
–
|
Explicit
: Set the 802.1p value to the value you select in the Explicit 802.1p Value field. This is a numeric value between 0 and 7. The standard values are:
|
|
|
•
|
0
- Best effort (default)
|
|
|
•
|
5
- Video (<100ms latency)
|
|
|
•
|
6
- Voice (<10ms latency)
|
|
|
–
|
Map
: The QoS mapping settings on the Firewall > QoS Mapping
page will be used. See “802.1p and DSCP QoS”
for instructions on configuring the QoS Mapping.
|
|
Step 20
|
Click
OK
to add the rule.
|
To display the
Edit Rule
window (includes the same settings as the Add Rule
window), click the Edit
icon.
To delete the individual access rule, click on the
Delete
icon. To delete all the checkbox selected access rules, click the Delete
button.
To enable or disable an access rule, click the
Enable
checkbox.
To remove all end-user configured access rules for a zone, click the
Default
button. This will restore the access rules for the selected zone to the default access rules initially setup on the SonicWALL security appliance.
Move your mouse pointer over the
Graph
icon to display the following access rule receive (Rx) and transmit (Tx) traffic statistics:
The Connection Limiting feature is intended to offer an additional layer of security and control
when coupled with such SonicOS features as SYN Cookies and Intrusion Prevention Services (IPS). Connection limiting provides a means of throttling connections through the SonicWALL using Access Rules as a classifier, and declaring the maximum percentage of the total available connection cache that can be allocated to that class of traffic.
Coupled with IPS, this can be used to mitigate the spread of a certain class of malware as
exemplified by Sasser, Blaster, and Nimda. These worms propagate by initiating connections to random addresses at atypically high rates. For example, each host infected with Nimda attempted 300 to 400 connections per second, Blaster sent 850 packets per second, and Sasser was capable of 5,120 attempts per second. Typical, non-malicious network traffic generally does not establish anywhere near these numbers, particularly when it is Trusted ->Untrusted traffic (i.e. LAN->WAN). Malicious activity of this sort can consume all available connection-cache resources in a matter of seconds, particularly on smaller appliances.
In addition to mitigating the propagation of worms and viruses, Connection limiting can be used
to alleviate other types of connection-cache resource consumption issues, such as those posed by uncompromised internal hosts running peer-to-peer software (assuming IPS is configured to allow these services), or internal or external hosts using packet generators or scanning tools.
Finally, connection limiting can be used to protect publicly available servers (e.g. Web servers)
by limiting the number of legitimate inbound connections permitted to the server (i.e. to protect the server against the Slashdot-effect). This is different from SYN flood protection which attempts to detect and prevent partially-open or spoofed TCP connection. This will be most applicable for Untrusted traffic, but it can be applied to any zone traffic as needed.
Connection limiting is applied by defining a percentage of the total maximum allowable
connections that may be allocated to a particular type of traffic. The above figures show the default LAN ->WAN setting, where all available resources may be allocated to LAN->WAN (any source, any destination, any service) traffic.
More specific rules can be constructed; for example, to limit the percentage of connections that
can be consumed by a certain type of traffic (e.g. FTP traffic to any destination on the WAN), or to prioritize important traffic (e.g. HTTPS traffic to a critical server) by allowing 100% to that class of traffic, and limiting general traffic to a smaller percentage (minimum allowable value is 1%).
This section provides configuration examples on adding network access rules:
This section provides a configuration example for an access rule to allow devices on the DMZ
to send ping requests and receive ping responses from devices on the LAN. By default your SonicWALL security appliance does not allow traffic initiated from the DMZ to reach the LAN. Once you have placed one of your interfaces into the DMZ zone, then from the Firewall
> Access Rules
window, perform the following steps to configure an access rule that allow devices in the DMZ to send ping requests and receive ping responses from devices in the LAN.
|
Step 1
|
Click
Add
to launch the Add Rule
window.
|
|
Step 3
|
From the
Service
menu, select Ping
.
|
|
Step 4
|
From the
Source
menu, select DMZ Subnets
.
|
|
Step 5
|
From the
Destination
menu, select LAN Subnets
.
|
This section provides a configuration example for an access rule blocking LAN access to NNTP
servers on the Internet during business hours.
Perform the following steps to configure an access rule blocking LAN access to NNTP servers
based on a schedule:
|
Step 1
|
Click
Add
to launch the Add
window.
|
|
Step 2
|
Select
Deny
from the Action
settings.
|
|
Step 3
|
Select
NNTP
from the Service
menu. If the service is not listed in the list, you must to add it in the Add Service
window.
|
|
Step 4
|
Select
Any
from the Source
menu.
|
|
Step 5
|
Select
WAN
from the Destination
menu.
|
By creating an access rule, it is possible to allow access to a management IP address in one
zone from a different zone on the same SonicWALL appliance. For example, you can allow HTTP/HTTPS management or ping to the WAN IP address from the LAN side. To do this, you must create an access rule to allow the relevant service between the zones, giving one or more explicit management IP addresses as the destination. Alternatively, you can provide an address group that includes single or multiple management addresses (e.g. WAN Primary IP, All WAN IP, All X1 Management IP) as the destination. This type of rule allows the HTTP Management, HTTPS Management, SSH Management, Ping, and SNMP services between zones.
To create a rule that allows access to the WAN Primary IP from the LAN zone:
|
Step 2
|
Click
Add
to launch the Add
window.
|
|
Step 3
|
Select
Allow
from the Action
settings.
|
|
Step 5
|
Select
Any
from the Source
menu.
|
Bandwidth management can be applied on both ingress and egress traffic using access rules.
Access rules displaying the Funnel icon are configured for bandwidth management.
For more information on Bandwidth Management see
“Firewall Settings > BWM”
.