104
C
HAPTER
7: S
ETTING A
P
OLICY
Rules are arranged in order of precedence from the most specific to the
most general.
For example if you block all FTP traffic in one rule and allow a machine
with a specific IP address to use FTP in another rule then the second rule
will override the first and will be displayed above it.
The table is divided into columns as follows:
Rule Number (#)
Rules are consecutively numbered by precedence and new rules will be
inserted into the list by the Firewall at a position appropriate to the
breadth of scope of the rule.
When evaluating rules, the Firewall uses the following criteria:
1
A rule defining a specific service is more specific than the default rule.
2
A defined Ethernet link, such as LAN, WAN, or DMZ, is more specific than
*
(all).
3
A single IP address is more specific than an IP address range.
Action
The
Action
for a rule can be set to either
Allow
or
Deny
traffic across the
Firewall. For security reasons common protocols are often denied and
more specific rules created to describe where these protocols are used
legitimately.
Service
The
Service
for a rule shows the service (and hence the protocol) over
which the rule operates. A value of
Default
indicates that the rule
operates on all traffic. Other values for
Service
are defined in “Adding
and Deleting Services” on page 101.
Source
The
Source
of a rule indicates where the connection for that rule is
originated. The source can be set to LAN, DMZ, WAN or an specific
address or range of addresses on one of those ports.
When a connection is made a two-way conversation is initiated. When
allowing a PC on the LAN network port to communicate with a PC or
Server on the WAN network port (e.g. to Browse using HTTP) it is
unnecessary (and inadvisable) to set a rule for the reverse journey. This
DUA1611-0AAA02.book Page 104 Thursday, August 2, 2001 4:01 PM
Содержание 3C16111 - SuperStack 3 Firewall Web Site Filter
Страница 18: ...18 DUA1611 0AAA02 book Page 18 Thursday August 2 2001 4 01 PM ...
Страница 50: ...50 DUA1611 0AAA02 book Page 50 Thursday August 2 2001 4 01 PM ...
Страница 96: ...96 CHAPTER 6 USING THE FIREWALL DIAGNOSTIC TOOLS DUA1611 0AAA02 book Page 96 Thursday August 2 2001 4 01 PM ...
Страница 122: ...122 CHAPTER 8 ADVANCED SETTINGS DUA1611 0AAA02 book Page 122 Thursday August 2 2001 4 01 PM ...
Страница 150: ...150 CHAPTER 10 CONFIGURING HIGH AVAILABILITY DUA1611 0AAA02 book Page 150 Thursday August 2 2001 4 01 PM ...
Страница 152: ...152 DUA1611 0AAA02 book Page 152 Thursday August 2 2001 4 01 PM ...
Страница 166: ...166 CHAPTER 11 ADMINISTRATION AND ADVANCED OPERATIONS DUA1611 0AAA02 book Page 166 Thursday August 2 2001 4 01 PM ...
Страница 174: ...174 DUA1611 0AAA02 book Page 174 Thursday August 2 2001 4 01 PM ...
Страница 178: ...178 CHAPTER 13 TYPES OF ATTACK AND FIREWALL DEFENCES DUA1611 0AAA02 book Page 178 Thursday August 2 2001 4 01 PM ...
Страница 190: ...190 CHAPTER 14 NETWORKING CONCEPTS DUA1611 0AAA02 book Page 190 Thursday August 2 2001 4 01 PM ...
Страница 192: ...192 DUA1611 0AAA02 book Page 192 Thursday August 2 2001 4 01 PM ...
Страница 206: ...206 APPENDIX D TECHNICAL SUPPORT DUA1611 0AAA02 book Page 206 Thursday August 2 2001 4 01 PM ...
Страница 212: ...212 INDEX DUA1611 0AAA02 book Page 212 Thursday August 2 2001 4 01 PM ...
Страница 214: ...DUA1611 0AAA02 book Page 214 Thursday August 2 2001 4 01 PM ...