Article by Mark Boyd www.simpleit.tumblr.com

Thursday, 23 June 2011 Page 1

The basics of a firewall rule

Most al l of the informat ion in this below wri t ing piece is informat ion disseminated f rom www.sans.org and i ts

af f i l iates. My experience is in the Managed Services Provider sector, more specif ical ly, the Educat ion vert ical

Understanding firewall rules:

Source > Destination > Traffic Type > Allow / Deny. There you have it, you now understand firewalls.

Move along people, nothing to see here. Or is there? In this article, I will talk briefly about how a basic

firewall rule works. I won’t be talking about packet inspection, I won’t be talking about NAT and its

intricacies, there’s plenty of information on the old interwebs1 about that. Firewalls can be big complex

beasts; this article might be seen as a “for dummies” guide to just one topic inside a firewall

You will find this article is general in nature; it doesn’t go into a huge amount of detail. This article is

largely brand agnostic. If you are looking for a shameless plug for a reputable firewall company, I

recommend Fortinet. Fortinet firewalls are well priced, feature full firewalls from SOHO to enterprise. I

use Fortinet because they are powerful, quick and secure. For more information on Fortinet gear visit

here

Alright, let’s get started. As always, decide what you are trying to achieve. In this example we want to

block all traffic from 192.168.1.0 out to the internet except web traffic, and allow 172.16.0.0 traffic out to

the internet.

Arrive Pseudo code. Now don’t be afraid, I have preached before that programming is the square root of

everything evil and nasty, and I maintain that disposition, however, writing something out logically

(Pseudo Code) is helpful. It logically spells out what you are trying to do. Let’s try it.

Source Traffic: 172.16.0.0 /16, Destination: Anywhere (0.0.0.0), Traffic type: Any, Allow / Deny

Source Traffic: 192.168.1.0 /24, Destination: Anywhere (0.0.0.0), Traffic type: port 80, Allow / Deny

explicitly deny any other traffic

Looks simple enough? Good. But make sure to understand some common I.T lingo.

- Common Service ports (Port 80 for HTTP, Port 443 for HTTPS, Port 53 for DNS etc)

- Common Subnet allocations for IPV4, 16 = 255.255.0.0, /24 = 255.255.255.0 and so on

- What the 0.0.0.0 IP Address designation is and how to use it.

Confused? Remember the rule: source > destination > traffic type > allow / deny.

Think about these statements if you get confused making firewall rules.

- All firewall rules are in essence just an access control list.

- All access control lists can be converted “logically” into an “if then else” type statement.

- Remember that all Access control lists / firewall rules end with an explicit deny rule.

- If your firewall rule doesn’t work, think wether your traffic matches the rule.

- Most useful, remember most good firewalls log allow / deny requests, the logs are your friend.

Next article: Top tools for top administrators

1 (Deviate for a second, Microsoft Word doesn’t believe interwebs is a word, it is now, and I implore you to add it to your dictionaries)