Description: This document uses examples to illustrate the options for configuring filter rules in a LANCOM router.Requirements: Assumption: There are two basic strategies for configuring a firewall: the 'ALLOW ALL' approach and the 'DENY ALL' approach. An 'ALLOW ALL' strategy enables unlimited communications through the firewall. Restrictions are then set up for the relevant services or stations. A 'DENY ALL' strategy blocks all communications, and individual workstations are then removed from the block. By default LANCOM employs the 'ALLOW ALL' strategy in its stateful inspection firewall, meaning that the firewall allows all correctly operating IP communications without any additional firewall rules having to be configured. Both strategies have their uses depending on the situation at hand: The deny-all approach is useful for connections going to the Internet. This means that, at the IP level, full control is maintained over all communications with the insecure medium Internet. Working with this method ensures that the only services which can be used are those explicitly allowed by the firewall administrator. This configuration minimizes the risk of permitting undesirable communications by mistake. The allow-all approach is suitable for low-risk connections such as direct dial-in connections between two company offices. In this case, all services should be available to all stations ("allow all"), and the comprehensive functions of a firewall are not required. Under certain circumstances it may make sense to place restrictions on certain stations or services (e.g. to restrict access to certain servers or particular services in order to prevent connections being established). Most cases require a combination of both approaches.
Procedure: Configuration should be carried out with the use of LANconfig.
Example: A LANCOM router connects the company network at its main office to the Internet via ADSL. This Internet connection is used to create a link to the branch office over a dynamic VPN tunnel. The router's firewall is to be configured to meet the following requirements. 1. Stations in the local Internet (192.168.100.0 / 255.255.255.0) should only be allowed to use certain services in the Internet (DNS name resolution, e-mail services, WWW access). One workstation (192.168.100.115) should be completely excluded from accessing the Internet. 2. Access to the branch network (192.168.200.0) should be allowed and transparent for all IP communication. One server in the main office network (192.168.100.100) is to be allowed to establish connections to the server in the branch network (192.168.200.100) by itself. Connections from this server to other stations in the branch network are to be blocked.
Configuration: Step 1: DENY-ALL towards the Internet First add a new rule called 'DENY ALL' |