Questions about firewall rules

[Jan Janowski]

questions....

The top rule in my firewall is a rule where a rage of IP's are ALLOWED access to internet: Soruce IP Range, All SOURCE PORTS, ALL DESTINATION IP, ALL DESTINATION PORTS ALLOW.. For Clairity we'll call it ALLOW INTERNET.. It is the first rule in firewall

Rule 2 (We'll call DENY GROUP 2): Say I have two other groups of devices in that IP Subnet: Group one at 192.168.1.20 to .50 and another, Group 2, from 192.168.1.110 to .130
I believe it is legal to create a rule where group 2 is denied access to any IP in Group 1:
Rule 2: TCP/UDP. IP Range: Group 2, ALL SOURCE PORT, DESTINATION IP Range: Group 1, ALL DESTINATION PORT, DENY...

RULE 3 is at bottom of firewall rules: We'll call that: 'DENY ALL' rule: TCP/UDP ALL SOURCE IP, ALL SOURCE PORTS, ALL DESTINATION IP, ALL DESTINATION PORTS DENY.

does This DENY ALL Rule (Presently at bottom of list after the 'Group 2 Deny' rule)..
Does that Deny ALL rule do the same thing as the Deny Group 2 rule....??? if that Deny Group 2 rule had never been entered in the firewall at all?

I think so... just wanted confirmation....
Thank You!

 

[fredbert]

Firewall rules are applied top to bottom and the first matching rule for a connection's src IP+port, dst IP+port, and protocol will be applied: action as per the matching rule.

Having two exact same rules with different actions will result in the upper most rule being triggered and its action applied. Having rules with overlapping criteria will result in the upper most rule being triggered etc.

The firewall rules don't care about subnets per se. You can have a LAN segment on a /24 (a.b.c.0-.255) but firewall rules can be written to treat the first /25 (.0-.127) differently to the second /25 (.128-.255). Or whatever you like, the firewall applies it to the connection's specific attributes not whatever notional subnet it may be in.

Provided that the router/firewall device always inspects the connections with the firewall module and doesn't assume: LAN-side source to known other LAN-side destination is just a routing in/out process and bypasses the firewall. But it shouldn't do this, the firewall processing should always be invoked.

 

[Jan Janowski]

So the 2nd rule: did not need to be written, because the DENY ALL rule would have accomplished the same actions, the 2nd rule was therefore redundant -- and in this case only reasoning to use it would be to provide "Hit" Information. correct?
I'm Getting my mind wrapped around the DENY ALL capability.

 

[fredbert]

TBH I couldn’t follow exactly what you wrote. But if the second rule is a superset of the rule above it (and has the same action) then you don’t need the rule above, unless you want to specifically know the hits for that subset.

 

[Jan Janowski]

That's what I was after.... The DENY ALL RULE Covers and blocks EVERYTHING not specifically indicated as an ALLOW above it! Thank You.... I was having trouble understanding the power and scope of DENY ALL... !!
So Yes, for a while I'll leave it there, so as to show hits... once comfortable that nothing is going on, will delete the rule, knowing that it will be part of DENY ALL Thanks for clearing it up for me!