Example tcp/udp ports, Firewall design rules, Firewall logic – Netopia R5300 User Manual

13-32 User’s Reference Guide

E

E

E

Exxxxaa

a

am

m

m

mp

p

p

pllllee

e

e TT

T

TC

C

C

CP

P

P

P////U

U

U

UD

D

D

DP

P

P

P P

P

P

Po

o

o

orrrrttttssss

FFF

Fiiiirrrree

e

ew

w

w

waa

a

allllllll d

d

d

dee

e

essssiiiig

g

g

gn

n

n

n rrrru

u

u

ullllee

e

essss

There are two basic rules to firewall design:

■

“What is not explicitly allowed is denied.”

and

■

“What is not explicitly denied is allowed.”

The first rule is far more secure and is the best approach to firewall design. It is far easier (and more secure) to
allow in or out only cer tain ser vices and deny anything else. If the other rule is used, you would have to figure
out ever ything that you want to disallow, now and in the future.

FFF

Fiiiirrrree

e

ew

w

w

waa

a

allllllll LLL

Lo

o

o

og

g

g

giiiicccc

Firewall design is a test of logic, and filter rule ordering is critical. If a packet is for warded through a series of
filter rules and then the packet matches a rule, the appropriate action is taken. The packet will not for ward
through the remainder of the filter rules.

For example, if you had the following filter set...

Allow WWW access;

Allow FTP access;

Allow SMTP access;

Deny all other packets.

TCP Port

Service

20/21

FTP

23

Telnet

25

SMTP

80

WWW

144

News

UDP Port

Service

161

SNMP

69

TFTP

387

AURP