Questions about firewall rules

Currently reading
Questions about firewall rules

1,269
253
NAS
DS 718+, 2x-DS 720+
Router
  1. RT2600ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
questions....

The top rule in my firewall is a rule where a rage of IP's are ALLOWED access to internet: Soruce IP Range, All SOURCE PORTS, ALL DESTINATION IP, ALL DESTINATION PORTS ALLOW.. For Clairity we'll call it ALLOW INTERNET.. It is the first rule in firewall

Rule 2 (We'll call DENY GROUP 2): Say I have two other groups of devices in that IP Subnet: Group one at 192.168.1.20 to .50 and another, Group 2, from 192.168.1.110 to .130
I believe it is legal to create a rule where group 2 is denied access to any IP in Group 1:
Rule 2: TCP/UDP. IP Range: Group 2, ALL SOURCE PORT, DESTINATION IP Range: Group 1, ALL DESTINATION PORT, DENY...

RULE 3 is at bottom of firewall rules: We'll call that: 'DENY ALL' rule: TCP/UDP ALL SOURCE IP, ALL SOURCE PORTS, ALL DESTINATION IP, ALL DESTINATION PORTS DENY.

does This DENY ALL Rule (Presently at bottom of list after the 'Group 2 Deny' rule)..
Does that Deny ALL rule do the same thing as the Deny Group 2 rule....??? if that Deny Group 2 rule had never been entered in the firewall at all?

I think so... just wanted confirmation....
Thank You!
 
Solution
TBH I couldn’t follow exactly what you wrote. But if the second rule is a superset of the rule above it (and has the same action) then you don’t need the rule above, unless you want to specifically know the hits for that subset.
Firewall rules are applied top to bottom and the first matching rule for a connection's src IP+port, dst IP+port, and protocol will be applied: action as per the matching rule.

Having two exact same rules with different actions will result in the upper most rule being triggered and its action applied. Having rules with overlapping criteria will result in the upper most rule being triggered etc.

The firewall rules don't care about subnets per se. You can have a LAN segment on a /24 (a.b.c.0-.255) but firewall rules can be written to treat the first /25 (.0-.127) differently to the second /25 (.128-.255). Or whatever you like, the firewall applies it to the connection's specific attributes not whatever notional subnet it may be in.

Provided that the router/firewall device always inspects the connections with the firewall module and doesn't assume: LAN-side source to known other LAN-side destination is just a routing in/out process and bypasses the firewall. But it shouldn't do this, the firewall processing should always be invoked.
 
Upvote 0
So the 2nd rule: did not need to be written, because the DENY ALL rule would have accomplished the same actions, the 2nd rule was therefore redundant -- and in this case only reasoning to use it would be to provide "Hit" Information. correct?
I'm Getting my mind wrapped around the DENY ALL capability.
 
Upvote 0
That's what I was after.... The DENY ALL RULE Covers and blocks EVERYTHING not specifically indicated as an ALLOW above it! Thank You.... I was having trouble understanding the power and scope of DENY ALL... !!
So Yes, for a while I'll leave it there, so as to show hits... once comfortable that nothing is going on, will delete the rule, knowing that it will be part of DENY ALL Thanks for clearing it up for me!
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Use the 1Gb port from the Virgin hub in Modem mode, our UK internet is VM cable, so I was prepared to...
Replies
6
Views
1,013
Thanks for that. My understanding has been much improved. An interesting use of the switch.
Replies
8
Views
2,400
OK. I don't bother with QuickConnect for my router, there's nothing running on it that others need to have...
Replies
6
Views
1,182
I have setup from zero, thanks for trying to help. Thread can be closed now.
Replies
6
Views
1,748
Just asking again if more in-depth information or rules are available than link posted. I keep creating...
Replies
1
Views
1,184
Now I'm not looking on my phone.... The best you can do is to split the single 192.168.1.0/24 subnet and...
Replies
6
Views
2,023
  • Question
You can allow US traffic, and deny all else. That effectively denies all non-US traffic, and is superior...
Replies
13
Views
1,924

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top