SonicWALL Internet Security Appliances User Manual

Page 138 SonicWALL Internet Security Appliance Administrator’s Guide

Understanding the Access Rule Hierarchy

The rule hierarchy has two basic concepts:
1. Specific rules override general rules:

An individual service is more specific than the Default service.
A single Ethernet link, such as LAN or WAN, is more specific than * (all).
A single IP address is more specific than an IP address range.

2. Equally specific Deny rules override Allow rules.
Rules are displayed in the Current Network Access Rules list from the most specific to the least
specific, and rules at the top override rules listed below. For example, consider the section of the
Rules window shown below.

The Default Allow Rule (#7) at the bottom of the page allows all traffic from the LAN to the WAN.
However, Rule #1 blocks IRC (Chat) traffic from a computer on the LAN to a server on the WAN.
The Default Deny Rule (#6) blocks all traffic from the WAN to the LAN, however, Rule #2 overrides
this rule by allowing Web traffic from the WAN to the LAN.