7.2. Firewall Access Policy Rule Sets

Figure 7.1. Access Policies

Access Policies

Access policy rules provide access control because they define which packets are permitted and which are denied. A firewall access policy consists of a set of rules. Each packet is analysed and its elements compared against elements in the rules of the policy sequentially, from top to bottom. The first rule that matches the packet has its configured action applied, and any processing specified in the rule's configured options is performed.

Each rule has a standard set of rule elements against which packet characteristics are compared. These rule elements, displayed as fields in the rule, include the packet's source address (Source), its destination address (Destination), its protocol and port numbers (Service), the interface it is passing through (Interface), its direction of travel (Direction), and the time of its arrival (Time). For example, if a packet entering the firewall has a source address that matches the object in the Source field of the rule, its destination address matches the object in the Destination field, its protocol and port numbers match the object in the Service field, the interface it passes through matches the interface object in the Interface field, its direction matches that specified in the Direction field, and the time of its arrival matches that specified in the Time field, then the firewall takes the actions specified in the Action field and applies the options specified in the Options field. A field where a value of "Any" or "All" is specified is considered to match all packets for that rule element.

For example, in Figure 7.1, rule #0 is "anti-spoofing": it denies all packets coming through the outside interface with source address claiming to be that of the firewall itself or internal network it protects. This rule utilizes interface and direction matching in addition to the source address. Rule #2 says that connection from the internal network (network object net- to the firewall itself (object firewall) using ssh is allowed (action Accept). The "Catch all" rule #6 denies all packets that have not been matched by any rule above it. The access policy in Figure 7.1 is constructed to allow only specific services and deny everything else, which is a good practice.

By default, a rule matches on specified Source, Destination, and Service rule elements, matching all interfaces and traffic directions. If you want to restrict the effect of the rule to particular interfaces or traffic directions, you must specify the restriction in the rule.

7.2.1. Source and Destination

The Source and Destination rule elements allow you to match a packet to a rule based on the packet's source and destination IP address.

Configure these rule elements by dragging some combination of addressable objects into the field from the object tree.

  • Specify a specific IPv4 address by dragging and dropping an IPv4 address object.

  • Specify a specific IPv6 address by dragging and dropping an IPv6 address object.

  • Specify all the IP addresses on a host by dragging and dropping a host object.

  • Specify a range of IP addresses by dragging and dropping an address range object.

  • Specify a particular subnet by dragging and dropping a network object.

  • Specify an address configured as DNS "A" record for a given host name by dragging and dropping DNS name object.

  • Specify a set of different object types by simply dragging and dropping multiple addressable objects into the field.

  • Define a group object composed of different address objects and drag and drop the group object into the field.

Section 5.2 describes how to work with address objects.

In addition, you can exclude, or "negate," a source or destination address by dragging it into the field, then right-clicking and selecting Negate from the context menu. In the example presented in Figure 7.2, the RFC 1918 address range object has been excluded from the rule; as a result, the rule matches any destination address except addresses within the private address space.

Figure 7.2. Destination Matches Any RFC 1918 IP Address

Destination Matches Any RFC 1918 IP Address


Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.