LANCOM Support Knowledgebase Dokument-Nr. 0505.1012.2142.MBRI - V1.40

Configuring filter rules (firewall/QoS) for LANCOM routers



Description:
This document uses examples to illustrate the options for configuring filter rules in a LANCOM router.


Requirements:


Assumption:
There are two basic strategies for configuring a firewall: the 'ALLOW ALL' approach and the 'DENY ALL' approach. An 'ALLOW ALL' strategy enables unlimited communications through the firewall. Restrictions are then set up for the relevant services or stations. A 'DENY ALL' strategy blocks all communications, and individual workstations are then removed from the block. By default LANCOM employs the 'ALLOW ALL' strategy in its stateful inspection firewall, meaning that the firewall allows all correctly operating IP communications without any additional firewall rules having to be configured.

Both strategies have their uses depending on the situation at hand:

The deny-all approach is useful for connections going to the Internet. This means that, at the IP level, full control is maintained over all communications with the insecure medium Internet. Working with this method ensures that the only services which can be used are those explicitly allowed by the firewall administrator. This configuration minimizes the risk of permitting undesirable communications by mistake.

The allow-all approach is suitable for low-risk connections such as direct dial-in connections between two company offices. In this case, all services should be available to all stations ("allow all"), and the comprehensive functions of a firewall are not required. Under certain circumstances it may make sense to place restrictions on certain stations or services (e.g. to restrict access to certain servers or particular services in order to prevent connections being established).

Most cases require a combination of both approaches.


Procedure:
Configuration should be carried out with the use of LANconfig.


Example:

A LANCOM router connects the company network at its main office to the Internet via ADSL. This Internet connection is used to create a link to the branch office over a dynamic VPN tunnel. The router's firewall is to be configured to meet the following requirements.

1. Stations in the local Internet (192.168.100.0 / 255.255.255.0) should only be allowed to use certain services in the Internet (DNS name resolution, e-mail services, WWW access). One workstation (192.168.100.115) should be completely excluded from accessing the Internet.

2. Access to the branch network (192.168.200.0) should be allowed and transparent for all IP communication.
One server in the main office network (192.168.100.100) is to be allowed to establish connections to the server in the branch network (192.168.200.100) by itself. Connections from this server to other stations in the branch network are to be blocked.

Configuration:

Step 1: DENY-ALL towards the Internet

First add a new rule called 'DENY ALL' under Firewall/QoS -> IPv4 Rules -> Rules.

In order to implement a DENY ALL strategy towards the Internet without affecting other remote sites, you can restrict firewall rules to the remote site that is responsible for the default route (generally the Internet connection). This is already included in the standard object NO-INTERNET.





Add an entry and give it a suitable name:



...so that the option 'Action only for default route (e.g. Internet)' is enabled. Using the value for 'Trigger', you can activate the subsequent action after a certain threshold has been reached (e.g. for IP traffic shaping). If you wish to reject connections immediately you should use the default trigger value of '0'.

A Per session or Global setting will take no effect with a trigger value of 0.
Leave the value of the 'Packet action' as 'Reject' and deactivate the SNMP option under Further measures to stop the firewall from logging every rejected packet:



Skip the QoS tab and on the Stations tab enter the source and destination for the desired connections.

As this rule is to apply to all sources and destinations, check the options Connections from all stations and Connections to all stations.

On the Services tab specify the IP protocols which the rule is to apply to. Select the option This rule applies to all services/protocols for the DENY ALL rule:



Effect:
The firewall rule defined in this way prevents IP connections from being established into the Internet.
It also means that the reverse path from the Internet to the company network is also blocked by the firewall.
This function also serves to isolate the network through IP masquerading (NAT/PAT) and increases the protection of the company network against unauthorized access.

Step 2: Activating communication from the intranet towards the Internet:

Now add the following filter rule to allow stations in the local network to communicate with specified services in the Internet.



...using the name ALLOW-DNS.



On the Actions tab use Add... to select the object ACCEPT.

On the Stations tab, select All stations in any local network as the source and and leave the destination as Connections to all stations.

On the Services tab, select the special service/protocol DNS:




Note:
The DNS service is based on UDP and for this reason it cannot be combined in a rule with other services that are based on TCP.

Step 3:

In the next step, add a new filter rule...



...using the name ALLOW INET:



On the Actions tab use Add... to select the object ACCEPT.

On the Stations tab, select All stations in any local network as the source and and leave the destination as Connections to all stations.

On the Services tab, select the services/protocols HTTP, HTTPS and MAIL.



Effect:
This makes the configured services available for the stations in the network that is defined as the intranet in the LANCOM device under 'Configuration -> TCP/IP -> General -> IP networks'.

Step 4: Blocking a certain stations from accessing the Internet:

Add a new filter rule...



...using the name DENY-115-INET.



On the General tab enter a name, and in the Priority field enter a value of 1.

On the Actions tab use Add... to select the object REJECT.

On the Stations tab, select An IP address or a range of IP addresses as the source, specifying a range from '192.168.100.115' to '192.168.100.115', and leave the destination as Connections to all stations.

On the Services tab select the option This rule applies to all protocols/source services:



Effect:
This completely blocks the station with IP address '192.168.100.115' from accessing the remote site Internet.
Other remote sites, such as the VPN remote site mentioned in the specifications, are not affected by the rule.

Since the firewall rules configured above only restrict connections over the default route, it is not necessary to enable the network connection separately. The LANCOM router pursues a policy of 'allow all' and allows any communication that is not explicitly prohibited by a rule.

Step 5: In order to restrict server communication, add a new filter rule...



...with the name DENY-SERVER.

On the Actions tab use Add... to select the object REJECT.



On the Stations tab, select An IP address or a range of IP addresses as the source, specifying a range from '192.168.100.100' to '192.168.100.100', and set the destination to A complete network and specify 192.168.200.0 / 255.255.255.0.

On the Services tab select the options This rule applies to all protocols/source services:

For devices with the VPN option, you have the option of specifying the effect that each rule rule should have on the IPsec policies.



Step 6: Add a new filter rule...



...using the name 'ALLOW-SERVER' in order to allow communication with the server in the branch office (192.168.200.100).

On the Actions tab use Add... to select the object ACCEPT.



On the Stations tab, select An IP address or a range of IP addresses as the source, specifying a range from '192.168.100.100' to '192.168.100.100', and set the destination to An IP address or a range of IP addresses and specify '192.168.200.100' bis '192.168.200.100'.

On the Services tab select the option This rule applies to all protocols/source services.



After your have set this up successfully, the following entries will be present in the rules table:



Note:

Please note that a stateful inspection firewall evaluates the direction of IP connections.
The 'DENY-SERVER' firewall rule created above prevents the server in the main-office network from initiating communication to the branch-office network. However, the rule does not restrict incoming communications to the server.

The stateful inspection firewall monitors the status of IP connections and only allows communication on connections that were set up in the correct manner. For this reason the firewall rules are only defined for the direction in which the IP connections are established. Any (bidirectional) communication associated with the established IP connection will be automatically taken into account by the firewall. This applies in particular for protocols that require special treatment such as FTP (monitoring and data connection). The only thing that needs to be specified for these protocols is the main port.


Monitoring options:

The LANCOM router automatically generates an effective filter list from the firewall rules that you specified. You can view this list in WEBconfig under LCOS menu tree -> Setup -> IP router module -> Firewall -> Filter list. The rules are evaluated such that the most detailed ones are given the highest priority and these are taken first as the list of filters is processed from top to bottom. This ensures that filter rules that relate to individual services, MAC addresses or services are prioritized to appear at the top of the effective filter list.

The sequence in which you define filter rules has no influence on the effective filter list.

You can display the defined filters in a structured order in a telnet or SSH session to the LANCOM device using the show filter command.
© LANCOM Systems GmbH