Description:
This article describes the peculiarities which have to be taken into consideration for firewall rule inheritance in a LANCOM R&S®Unified Firewall.
Rules:
- Rules in a network object are inherited by a a connected host object.
- An inherited DENY rule always comes before a configured ALLOW rule.
Example for rule inheritance:
1) Desktop:
In a network there is the network object INTRANET and the connected host object Workstation.
2) Network object:
The connection between the network object INTRANET to the Internet (LANCOM_Internet-Access) allows HTTP und HTTPS and blocks ICMP.
As the Unified Firewall operates according to the DENY ALL principle, initially all communication is blocked. Therefore in this case communication via ICMP is already blocked without a separate rule. Thus a separate rule to block ICMP is not needed and is also not practical in most cases.
Only in individual cases it can be useful to block a certain port (e.g. when a port range is allowed and it has to be ensured, that a certain port from this range is blocked).
3) Host object:
The connection between the host object Workstation to the Internet allows ICMP.
4) Result:
- Communication via HTTP and HTTPS from the host object Workstation to the Internet is allowed due to the inherited rules.
- Communication via ICMP from the host object Workstation to the Internet is blocked, as a DENY rule always comes before an ALLOW rule.
