The Deny All rule is by far the most important rule to protect local
networks. By this rule the Firewall operates according to the principle:
“All actions, which are not explicitly allowed, remain forbidden!“
Only by this strategy the administrator can be sure not to have “forgotten”
an access method, because only those accesses exist, which have been
opened explicitly by himself.
We recommend to set up the Deny All rule before connecting the LAN
via a LANCOM to the Internet. Then you can analyse in the logging table
(to start e. g. via LANmonitor), which connection attempts have been
blocked by the Firewall. With the help of this information the Firewall
and the “Allow rules“ can be gradually extended.
Some typical applications are shown in the following.
Note: All filters described here can be installed very comfortably with
the Firewall wizard, and if necessary be further refined with e.g. LANconfig.
- Example configuration “Basic Internet”
Rule name
|
Source
|
Destination
|
Action
|
Service
(target port)
|
ALLOW_HTTP
|
Local network
|
All stations
|
transmit
|
HTTP, HTTPS
|
ALLOW_FTP
|
Local network
|
All stations
|
transmit
|
FTP
|
ALLOW_EMAIL
|
Local network
|
All stations
|
transmit
|
MAIL, NEWS
|
ALLOW_DNS_FORWARDING
|
Local network
|
IP address of LANOM (or: Local network)
|
transmit
|
DNS
|
DENY_ALL
|
All stations
|
reject
|
reject
|
ANY
|
- If you want to permit a VPN dial-in to a LANCOM acting as VPN gateway,
then you need a Firewall rule allowing incoming communication from the
client to the local network:
Rule
|
Source
|
Destination
|
Action
|
Service
|
ALLOW_VPN_DIAL_IN
|
remote site name
|
Local network
|
transmit
|
ANY
|
- In case a VPN is not terminated by the LANCOM itself (e.g. a VPN Client
in the local area network, or LANCOM as Firewall in front of an additional
VPN gateway), you'd have to allow IPSec and/or PPTP (for the "IPSec over
PPTP" of the LANCOM VPN Client) ports additionally:
Rule
|
Source
|
Destination
|
Action
|
Service
(target port)
|
ALLOW_VPN
|
VPN Client
|
VPN Server
|
transmit
|
IPSEC, PPTP
|
- For ISDN or V.110 dial-in (e.g. by HSCSD mobile phone) you have to allow
the particular remote site (see also ):
Rule
|
Source
|
Destination
|
Action
|
Service
|
ALLOW_DIAL_IN
|
remote site name
|
Local network
|
transmit
|
ANY
|
- For a network coupling you permit additionally the communication between
the involved networks:
Rule
|
Source
|
Destination
|
Action
|
Service
|
ALLOW_LAN1_TO_LAN2
|
LAN1
|
LAN2
|
transmit
|
ANY
|
ALLOW_LAN2_TO_LAN1
|
LAN2
|
LAN1
|
transmit
|
ANY
|
- If you operate e.g. an own web server, you selectively allow access
to the server:
Rule
|
Source
|
Destination
|
Action
|
Service
(target port)
|
ALLOW_WEBSERVER
|
ANY
|
Webserver
|
transmit
|
HTTP, HTTPS
|
- For diagnostic purposes it is helpful to allow ICMP protocols (e.g.
ping):
Rule
|
Source
|
Destination
|
Action
|
Service
|
ALLOW_PING
|
Local network
|
ANY
|
transmit
|
ICMP
|
These rules can now be refined as needed - e.g. by the indication
of minimum and maximum bandwidths for the server access, or by a finer
restriction on certain services, stations or remote sites.
Note: The LANCOM automatically sorts Firewall rules when creating the
filter list. Thereby, the rules are sorted into the filter list on the
basis of their level of detail. First all specific rules are considered,
afterwards the general ones (e.g. Deny All). Examine the filter list
in case of complex rule sets, as described in the following section.