In order to achieve the maximum degree of security and control over data traffic, we recommend that you initially block all data transfers through the firewall. Subsequently, only those functions and communication paths that are really required are selectively activated. This provides protection for example from so-called 'Trojan horses' or e-mail viruses that actively establish an outgoing connection via certain ports.
The "deny-all" rule is by far the most important rule for the protection of your LAN. With this rule the firewall acts in accordance with the following principle: "Anything not explicitly allowed is forbidden." This is the only strategy with which the administrator can be really sure that no possibility of access has been overseen—only those points of access that have been explicitly allowed are available.
We recommend that you set the deny-all rule before attaching the LAN to the Internet via a device. You can then use the logging table (that can be launched from LANmonitor) to easily see which connections have been blocked by the firewall. Using this information you can then successively add "allow-rules" to the firewall.
Some typical applications are shown below.
Note: The filters described here are easily set up with the Firewall Wizard. If necessary, they can be further refined with LANconfig, for example.
- Sample configuration "Basic Internet"
| Rule name |
Source |
Destination |
Action |
Service (target port) |
| ALLOW_HTTP |
Local network |
All stations |
Transmit |
HTTP, HTTPS |
| ALLOW_FTP |
Local network |
All stations |
Transmit |
FTP |
| ALLOW_EMAIL |
Local network |
All stations |
Transmit |
MAIL, NEWS |
| ALLOW_DNS_FORWARDING |
Local network |
Router IP address (option: Local network) |
Transmit |
DNS |
| DENY_ALL |
All stations |
All stations |
Reject |
ANY |
- If you want to allow VPN dial-in to a device as a VPN gateway, you need a firewall rule that allows incoming communication from the client to the local network:
| Rule name |
Source |
Destination |
Action |
Service |
| ALLOW_VPN_DIAL_IN |
Remote site name |
Local network |
Transmit |
ANY |
- In the situation where a VPN is not terminated by the device itself (e.g. VPN client in the local network, or the device is a firewall in front of an additional VPN gateway), then you also need to allow IPSec and/or PPTP (for the 'IPSec over PPTP' used by the LANCOM VPN client):
| Rule name |
Source |
Destination |
Action |
Service (target port) |
| ALLOW_VPN |
VPN client |
VPN server |
Transmit |
IPSEC, PPTP |
- If you allow ISDN dial-in or V.110 dial-in (e.g. via HSCSD mobile phone), you must allow the particular remote:
| Rule name |
Source |
Destination |
Action |
Service |
| ALLOW_DIAL_IN |
Remote site name |
Local network |
Transmit |
ANY |
- For connectivity between networks, you also have to allow communications between the participating networks:
| Rule name |
Source |
Destination |
Action |
Service |
| ALLOW_LAN1_TO_LAN2 |
LAN1 |
LAN2 |
Transmit |
ANY |
| ALLOW_LAN2_TO_LAN1 |
LAN2 |
LAN1 |
Transmit |
ANY |
- If you operate your own web server, you selectively allow access to the server:
| Rule name |
Source |
Destination |
Action |
Service (target port) |
| ALLOW_WEBSERVER |
ANY |
Web server |
Transmit |
HTTP, HTTPS |
- For diagnostic purposes, it is recommended that you enable the ICMP protocol (e.g. for the ping command):
| Rule name |
Source |
Destination |
Action |
Service |
| ALLOW_PING |
Local network |
All stations |
Transmit |
ICMP |
These rules can now be refined as required, for example by specifying minimum and maximum bandwidths for server access, or by the granular restriction to certain services, stations or remote sites.
Important: When the filter list is set up, the device automatically sorts the firewall rules. The rules are sorted according to their level of detail. The first rules to be processed are the specific ones followed by the general ones (e.g. deny-all). For complex rule sets, check the filter list as described in the following section.
