FireWall Rules & Policies

WildMonkey365

Commendable
Aug 30, 2016
77
0
1,640
I'm new to the world of Firewalls & I've looked at a couple of firewalls. I am trying to sense a pattern in the way the rules are structured. For instance with Port Forwarding the patterns no matter what manufacture are TCP/UDP Port numbers and what LAN IP those ports get opened to. Are Firewall rules & policies structured the same way? I'm looking for a general pattern from manufacture to manufacture? Can anyone shed light on this?

Also, with Port Forwarding you can tell if you set it up right if the application works consistently. How do you test whether you set up the rules and policies on a firewall properly?
 
Firwall rules as a conecpt are do you allow or reject TCP or UDP or both on port x (or port x-y) from source IP ABCD to destination IP EFGH. You can leave ports, source IP or destination IP blank to set larger rules so if you want to block ALL traffic to internet from a certian IP you Reject TCP/UDP from computer IP to WAN interface IP on router.

You tell if the rules/policy work by testing if the traffic is blocked/accepted.
 


Yes and No.
Port Forwarding is not a "firwall rule" by deffinition as firewall simply says to accept or reject a packet, not what to do with it after the fact.
But the port forwarding rules can be inputed into iptables (which is where the firewall rules go) of the linux device or router you are configuring.
 
 
Should firewall Rules ever be applied both ways (source > destination) (destination > source) another words if I allowed FTP traffic from Any to a LAN IP address, would I then need to allow a the LAN IP address to send FTP traffic to Any? If a PC on a LAN needs to both send and receive traffic for FTP, 2 Rules need to be created am I right?
 
It depends on how you setup your rules.

Typically you would setup an implicit or explicit deny.
Implicit is a white list, ONLY the traffic in the list is allowed (so you would state all of your allowed traffic and then insert your implicit deny statement at the end).
Explicit deny is a blacklist, so you are specifying what traffic is prohibited.

Naturally for highest security Implicit is much better then explicit.

Now in the case of FTP you would only need to specifically allow incoming traffic (assuming the FTP server is not connecting to another FTP server, only clients connecting to it).
All TCP type connections send data both ways so the firewall knows that data is going to flow both directions. What you are setting in the rules is allowing the initiation of a "session", in this case the inbound communication from any IP to the IP of the FTP server on port 21 (naturally should be using ftps or sftp and not on any default ports).
 
@ boosted1g..You had mentioned that a firewall knows that TCP will go both ways and that theres no need to create 2 rules (1 inbound & 1 outbound) Im assuming that this concept works the same way for UDP? I ask because I opened a port for our sip servers public address to come in on UDP but im wondering if I should open the same going out? Also I have IPsec tunnels coming into a main Host for a 7 site MPLS emulation project. We will be replacing/emulating a Hub & Spoke topology with SDWan technology. The main host is serving DNS but will also have network drives, network printers & shared folders in an Active Directory enviorment. I say all this because I set an auto rule for IPsec which basically allows the public addresses of the other 6 sites to come into the Host site. Should I set this rule to go out to those public addresses also? Or should I even consider taking this rule out and making an auto IPsec rule for the host site to go out to the other 6 sites? The game plan is to have the 6 sites send to & recieve data from the main Host site but not each other. What are your thoughts?