LANCOM Support Knowledgebase Document No. 1810.3012.2304.RHOO - V1.00

Firewall configuration using available scripts


Description:
The following document describes how to set up your router's firewall using pre-defined scripts.


Requirements:



Strategies for configuring the firewall

Firewalls are interfaces between networks and restrict the exchange of data, to a greater or lesser extent. The purpose of a firewall is thus diametrically opposed to that of the network to which it belongs: Networks are supposed to connect computers, firewalls aim to prevent connections.
This contradiction indicates the dilemma of the responsible administrators who, as a result, have developed various strategies as a solution.

Allow-All
The allow-all strategy prioritizes the unobstructed communication between network users before security. It basically allows any communication and the LAN is open to intruders. The LAN only becomes more secure when the administrator successively configures new rules that restrict or prevent elements of the communication.

Deny-All
The deny-all strategy starts with a "block everything" approach with the firewall blocking all communication between the network and the rest of the world. As a second step the administrator then opens up address ranges or ports that are required for day-to-day communication with the Internet, etc.
This approach is better for the security of the LAN than the allow-all strategy but often leads to difficulties for users in the initial phase. Some things may simply not work in the same way after the deny-all firewall is activated and some computers may not be reachable, etc.

Developing an explicit "deny-all" strategy

In order to achieve the maximum degree of security and control over data traffic, we recommend that you initially block all data transfers through the firewall. Subsequently, only those functions and communication paths that are really required are selectively activated. This provides protection for example from so-called 'trojan horses' or e-mail viruses that actively establish an outgoing connection via certain ports.

Some typical applications are described below as firewall rules and can be transferred simply and easily using scripts, irrespective of device type and
software version.

Deny-All: The most important rule in a firewall
The deny-all rule is by far the most important rule for the protection of your LAN. With this rule the firewall acts in accordance with the following principle: "Anything not explicitly allowed is forbidden". This is the only strategy with which the administrator can be really sure that no possibility of access has been "forgotten" – only those points of access that have been explicitly allowed are available.

NameDescription
Script file

Deny-ALL
This rule blocks any communication via the IP router or firewall.

Allow-HTTP/S
This rule allows HTTP and HTTPS (hypertext transfer protocol) from the LAN. These protocols are used to call Web pages. (Important notice: The "Allow-DNS" rule is required in combination with this rule.)

Allow-FTP
This rule allows FTP (file transfer protocol) from the LAN. This protocol is used for downloading files. (Important notice: the "Allow-DNS" rule is required in combination with this rule.)

Allow-DNS
This rule allows the DNS (domain name system) protocol from the LAN. This protocol is used for resolving names. Its main job is to transform "Internet addresses" into the relevant IP addresses

Allow-SMTP
This rule allows SMTP (simple mail transfer protocol) from the LAN. This protocol is used to send e-mails. (Important notice: the "Allow-DNS" rule is required in combination with this rule.)

Allow-Secure-Mail
This rule allows SMTP (simple mail transfer protocol) from the LAN. This protocol is used to send e-mails. (Important notice: the "Allow-DNS" rule is required in combination with this rule.)

Allow-MAILING
This rule allows POP3 (post office protocol version 3) and IMAP (Internet message access protocol) from the LAN. E-mail clients use these protocols to collect e-mail from a server. (Important notice: the "Allow-DNS" rule is required in combination with this rule.)

Allow-RDP
This rule allows RDP (remote desktop protocol) from the LAN. The remote desktop protocol (RDP) is a Microsoft protocol. It provides the technical basis for implementing terminal services between two computer systems.

Allow-IPSEC
This rule allows the IP protocols 50 (ESP), 51 (AH) and 108 (IPCOMP) as well as IKE (Internet key exchange) that are required for IPSec (Internet Protocol security) connections. This enables an IPSec connection to be established from a local client to a VPN gateway in the Internet. (Note: This rule is not required when the LANCOM router is the terminating point for IPSec connections.)

Allow-VPN-ROUTING
This rule allows any communication to target networks that are in the LANCOM router's IP routing table and point to a VPN remote device.

Allow-ELSTER
This rule allows the ELSTER application (German electronic tax declaration) to be used from the LAN. (Important notice: the "Allow-DNS" rule is required in combination with this rule.)

Allow-NTP
This rule allows NTP (network time protocol) from the LAN. Applications can use this protocol to obtain the current online time from a time server. (Important notice: the "Allow-DNS" rule is required in combination with this rule.) (Note: This rule is not required if the LANCOM router is configured as a time server)

Allow-SNMP
This rule allows SNMP (simple network management protocol) from the LAN. The protocol is used to monitor and manage network components (such as routers, servers switches, printers, computer) from a central device.

Allow-TELNET/SSH
This rule allows the telnet (telecommunication network) and SSH (secure shell) protocols from the LAN. Telnet is used to provide users with access to Internet computers from the command line (CLI). SSH is both an application as well as a network protocol and is used to log on to a remote computer and execute programs over an encrypted network connection.

Allow-TFTP
This rule allows TFTP (trivial file transfer protocol) from the LAN. The protocol is a very simple file transfer protocol and is used to load operating systems or for configuration purposes over the network.

Allow-ICMP
This rule allows the IP protocol ICMP (Internet control message protocol) from the LAN. It is used in networks to exchange error and information messages
Deny-ALL (Package) This rule combines all rules together into on script file.
This rule blocks any communication via the IP router or firewall.
+
This rule allows the following protocols : HTTP/S, FTP, DNS, SMTP, MAILING, RDP, IPSEC, VPN-Routing, ELSTER, NTP, SNMP, TELNET/SSH, TFTP and ICMP

Notice:
We recommend that you set the deny-all rule before attaching the LAN to the Internet via a LANCOM device. You can then use the logging table (that can be launched from LANmonitor) to easily see which connections have been blocked by the firewall. Using this information you can then successively add "allow-rules" to the firewall.


Developing an explicit "allow-all" strategy

The LANCOM firewall's default configuration is based on an "allow-all" strategy" and all communication is allowed. Undesired functions and communication paths over the firewall should then be selectively blocked.

Some typical applications are described below as firewall rules and can be transferred simply and easily using scripts, irrespective of device type and
software version.

NameDescription
Script file

Deny-SMTP
This rule blocks SMTP (simple mail transfer protocol) from the LAN. This protocol is used to send e-mails.

Deny-MAILING
This rule blocks POP3 (post office protocol version 3) and IMAP (Internet message access protocol) from the LAN. E-mail clients use these protocols to collect e-mail from a server.

Deny-HTTP/S
This rule blocks HTTP and HTTPS (hypertext transfer protocol) from the LAN. These protocols are used to call Web pages.

Deny-FTP
This rule blocks FTP (file transfer protocol) from the LAN. This protocol is used for downloading files.

Deny-RDP
This rule blocks RDP (remote desktop protocol) from the LAN. The remote desktop protocol (RDP) is a Microsoft protocol. It provides the technical basis for implementing terminal services between two computer systems.

Deny-FILESHARING
This rule blocks communication using the most common file sharing applications from the LAN. (Important notice: We assume no liability for the completeness of the information in the rule regarding ports.)

Deny-INST-MESSAGING
This rule blocks communication using the most common instant messaging applications from the LAN. (Important notice: We assume no liability for the completeness of the information in the rule regarding ports.)

Deny-ICMP
This rule blocks the IP protocol ICMP (Internet control message protocol) from the LAN. It is used in networks to exchange error and information messages

Deny-NTP
This rule blocks NTP (network time protocol) from the LAN. Applications can use this protocol to obtain the current online time from a time server. (Important notice: the "Allow-DNS" rule is required in combination with this rule.) (Note: This rule is not required if the LANCOM router is configured as a time server)

Deny-SNMP
This rule blocks SNMP (simple network management protocol) from the LAN. The protocol is used to monitor and manage network components (such as routers, servers switches, printers, computer) from a central device.

Deny-TELNET/SSH
This rule blocks the telnet (telecommunication network) and SSH (secure shell) protocols from the LAN. Telnet is used to provide users with access to Internet computers from the command line (CLI). SSH is both an application as well as a network protocol and is used to log on to a remote computer and execute programs over an encrypted network connection.

Deny-ELSTER
This rule blocks the ELSTER application (German electronic tax declaration) from the LAN.

Deny-TFTP
This rule blocks TFTP (trivial file transfer protocol) from the LAN. The protocol is a very simple file transfer protocol and is used to load operating systems or for configuration purposes over the network.


Procedure:

The scripts can be imported using LANconfig.

Highlight the device to be configured, from the context menu (right mouse button) select the menu item Configuration Management -> Restore script from file.

Select one script file and confirm the import with Open. After the script has been loaded you will find the newly created rule in LANconfig under Firewall/QoS -> IPv4-Rules - Rules.

Repeat the above steps to import additional rules.

Catchwords:
Please review this document! This document was helpful This document was not helpful