|
Home | Reviews | Speed Test | Tools | News | Forums | Info | About | Join |
How to set a single firewall rule is covered in the user manual. We won't cover that here. If you have lost your manual, you can download it from »support.dlink.com. This FAQ answer will help you with setting multiple rules, understanding how these firewall rules are evaluated, and understanding whether or not your LAN is well protected. In the DI-5xx/6xx products, the firewall is implemented using Network Address Translation (NAT) with two permanent rules that block unsolicited incoming packets and allow all outgoing packets. (Note: The NAT firewall does not evaluate LAN-to-LAN traffic, even if there are rules set.) These two permanent rules appear at the bottom of a list of firewall rules on the ADVANCED / FIREWALL configuration page. This list includes all of the rules currently in force by your firewall. By default, list will have three rules. The optional "Allow to Ping WAN port" rule is set on the TOOLS / MISC page. Examine the two default rules and see if you can understand why they do the following: - Deny everything incoming from the WAN toward the LAN - Allow everything outgoing from the LAN to the WAN Armed with that knowledge, you can understand that right out of the box, your LAN is pretty secure from outside threats. One frequent inside threat is opening an attachment that spawns a virus that mails itself to others with the virus's own SMTP engine. For that, you can make a new rule that says: Since mail is sent through port 25, this will prevent a virus from contacting other mail servers. But a problem with this rule is that it will also block your legitimate outgoing mail. So find out the IP address for your mailserver, and do this Now your rules look like: When your firewall evaluates a packet, it applies rules from the top down. Only the first rule that matches the packet is obeyed, the rest of the rules below it are ignored. So now you can also understand why, if those top two rules were in the reverse order, that no outgoing mail will be successful, even though you listed your mail server. Although you can set new rules on this page, understand that other rules also appear here for features that you have enabled through Options, IP Filters, Virtual Servers, Applications, UPnP, or the DMZ. Regardless of how the rule was entered, the list is applied from top to bottom and only one rule will be obeyed. If a rule higher on the list overlaps a rule lower on the list, the lower rule will never be executed. This is, by the way, how the DMZ option works. It creates a rule that overlaps the Default Deny rule, permitting all traffic to be sent to the LAN IP that you specified on ADVANCED / DMZ. Since that new rule overlaps the Default Deny rule, it is never executed and no incoming packets are blocked. Summary of Key Concepts: - The rules on the ADVANCED / FIREWALL list includes rules set on that page, as well as through Options, IP Filters, Virtual Servers, Applications, UPnP, or the DMZ - Regardless of how the rule was set, the rules are always applied from the top down, and only the first rule that matches the packet will be followed - The firewall only filters traffic passing between the WAN and LAN. It will not filter traffic from LAN to LAN, even if a rule is set. - The permanent default rules at the bottom of the list help ensure that your network, by default, is protected from outside threats. Related: - /faq/11894 got feedback? by funchords |