̈ Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50
137
Firewall
A direct data exchange between LAN and DMZ via LAN bridge is not possible
if a dedicated DMZ port is used. The path from LAN to DMZ and vice versa is
therefore only possible through the router, and thus also only through the
Firewall! This shields the LAN against inquiries from the DMZ, similar to the
LAN against inquiries from the Internet.
The shielding of the DMZ against the Internet on one side and the LAN
on the other is solved in many network structures with two separate
Firewalls. When using a LANCOM with DMZ port, only one device for
this setup is needed, which e.g. results in a clearly simplified config-
uration.
8.3.7 Hints for setting the Firewall
The LANCOM Firewall is an extremely flexible and powerful tool. In order to
help you to creating individual Firewall rules, you'll find in the following some
hints for your specific application.
The default settings of the Firewall
On delivery there is exactly one entry in the Firewall rule table: “WINS”. This
rule prevents unwanted connection set-ups on the default route (gen. to the
Internet) by the NetBIOS protocol. Windows networks send inquiries in regular
intervals into the network to find out if known stations are still available. This
leads in case of a time-based account of a network coupling to unwanted
connection set-ups.
The LANCOM can prevent this by the integrated NetBIOS proxy also
for network couplings, by pretending an answer for the concerned
resource, until a real access takes place.
Security by NAT and Stateful Inspection
If no further Firewall rule will be entered, the local area network is protected
by the interaction of Network Address Translation and Stateful Inspection:
Only connections from the local area network produce an entry in the NAT
table, whereupon the LANCOM opens a communication port. The Stateful
Inspection supervises communication via this port: Only packets, which
belong exactly to this connection may communicate via this port. For accesses
from the outside to the local network results thus an implicit "Deny All" strat-
egy.