13-32 User’s Reference Guide
EE
EE
xx
xx
aa
aa
mm
mm
pp
pp
ll
ll
ee
ee
TT
TT
CC
CC
PP
PP
//
//
UU
UU
DD
DD
PP
PP
PP
PP
oo
oo
rr
rr
tt
tt
ss
ss
FF
FF
ii
ii
rr
rr
ee
ee
ww
ww
aa
aa
ll
ll
ll
ll
dd
dd
ee
ee
ss
ss
ii
ii
gg
gg
nn
nn
rr
rr
uu
uu
ll
ll
ee
ee
ss
ss
There are two basic rules to firewall design:
■ “What is not explicitly allowed is denied.”
and
■ “What is not explicitly denied is allowed.”
The first rule is far more secure and is the best approach to firewall design. It is far easier (and more secure) to
allow in or out only certain services and deny anything else. If the other rule is used, you would have to figure
out everything that you want to disallow, now and in the future.
FF
FF
ii
ii
rr
rr
ee
ee
ww
ww
aa
aa
ll
ll
ll
ll
LL
LL
oo
oo
gg
gg
ii
ii
cc
cc
Firewall design is a test of logic, and filter rule ordering is critical. If a packet is forwarded through a series of
filter rules and then the packet matches a rule, the appropriate action is taken. The packet will not forward
through the remainder of the filter rules.
For example, if you had the following filter set...
Allow WWW access;
Allow FTP access;
Allow SMTP access;
Deny all other packets.
TCP Port Service
20/21 FTP
23 Telnet
25 SMTP
80 WWW
144 News
UDP Port Service
161 SNMP
69 TFTP
387 AURP