HELP TABLE OF CONTENTS

Access>Services

The Services page displays the Network Access Rules (By Service) table. Rules are sorted from the most specific at the top, to less specific at the bottom of the table. At the bottom of the table is the Any rule. The Any rule is all IP services except those listed in the Services page. Rules can be created to override the behavior of the Any rule; for example, the Any rule allows users on the LAN to access all Internet services, including NNTP News. However, LAN access to NNTP can be unblocked by deselecting LAN Out corresponding to the NNTP News service.

Tip! The LAN In column is not displayed if NAT is enabled.

The Services page allows you to customize Network Access Rules by service. Services displayed in the Services window relate to the rules in the Rules window, so any changes on the Services window appear in the Rules window. The Any rule, at the bottom of the table, encompasses all Services.

What are Network Access Rules?

Network Access Rules are management tools that allow you to define inbound and outbound access policy, configure user authentication, and enable remote management of the SonicWALL. By default, the SonicWALL’s stateful packet inspection allows all communication from the LAN to the Internet, and blocks all traffic to the LAN from the Internet. The following behaviors are defined by the “Default” stateful inspection packet rule enabled in the SonicWALL:

• Allow all sessions originating from the LAN to the WAN and DMZ.

• Allow all sessions originating from the DMZ to the WAN.

• Allow all sessions originating from the WAN to the DMZ.

• Deny all sessions originating from the WAN and DMZ to the LAN.

Additional Network Access Rules can be defined to extend or override the default rules. For example, rules can be created that block certain types of traffic such as IRC from the LAN to the WAN, or allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN, or restrict use of certain protocols such as Telnet to authorized users on the LAN.

The custom rules evaluate network traffic source IP address, destination IP address, IP protocol type, and compare the information to rules created on the SonicWALL. Network Access Rules take precedence, and can override the SonicWALL’s stateful packet inspection. For example, a rule that blocks IRC traffic takes precedence over the SonicWALL default setting of allowing this type of traffic.

Alert! The ability to define Network Access Rules is a very powerful tool. Using custom rules can disable firewall protection or block all access to the Internet. Use caution when creating or deleting Network Access Rules.

Network Access Rules (By Service)

• LAN Out - If the LAN Out check box is selected, you can access that service from your LAN on the Internet. Otherwise, you are blocked from accessing that service. By default, the LAN Out check boxes are selected.

• DMZ In (Optional) - If the DMZ In is selected, users on the Internet can access the service on the DMZ. Otherwise, they are blocked from accessing the service on the DMZ. By default, DMZ In is selected.

• LAN In - If a LAN In checkbox is enabled, users on the Internet can access all computers on your network for that service. By default, LAN In checkboxes are not enabled. Use caution when enabling a LAN In service.

Alert! If an Alert Icon appears next to a LAN Out, LAN In, or DMZ In check box, a rule in the Rules window modifies that service.

• Public LAN Server - A Public LAN Server is a LAN server designated to receive inbound traffic for a specific service, such as Web or e-mail. You can define a Public LAN Server by entering the server's IP address in the Public LAN Server field for the appropriate service. If you do not have a Public LAN Server for a service, enter "0.0.0.0" in the field.

Windows Networking (NetBIOS) Broadcast Pass Through

Computers running Microsoft Windows communicate with one another through NetBIOS broadcast packets. By default, the SonicWALL blocks these broadcasts.

If you select From LAN to DMZ, your SonicWALL enables NetBIOS broadcasts from the LAN to the DMZ port to allow LAN users to view computers on the DMZ in their Windows Network Neighborhood.

If you select LAN to WAN, your SonicWALL enables NetBIOS broadcasts from LAN to the WAN port to allow LAN users to view computers on remote networks in their Windows Network Neighborhood.

Windows Messenger

Select Enable Support if you are having problems using Windows Messenger through the SonicWALL.

Alert! If Enable Support is selected, it may affect the performance of the SonicWALL.

SIP

• Enable SIP Transformations - Select this option to transform SIP messaging from LAN (trusted to WAN (untrusted). You need to check this setting when you want the SonicWALL to do the SIP transformation. If your SIP proxy is located on the public (WAN) side of the SonicWALL and SIP clients are on the LAN side, the SIP clients by default embed/use their private IP address in the SIP/Session Definition Protocol (SDP) that are sent to the SIP proxy, hense these messages are not changed and the SIP proxy does not know how to get back to the client behind the SonicWALL. Selecting Enable SIP Transformations enables the SonicWALL to go through each SIP message and change the private IP address and assigned port. The Enable SIP Transformation also controls and opens up the RTP/RTCP ports that need to be opened for the SIP session calls to happen. NAT translates Layer 3 addresses but not the Layer 5 SIP/SDP addresses, which is why you need to select Enable SIP Transformations to transform the SIP messages. It's recommended that you turn on Enable SIP Transformations unless there is another NAT traversal solution that requires this feature to be turned off. SIP Transformations works in bi-directional mode and it transforms messages going from LAN to WAN and vice versa.

H323

Select Enable Support if you are having problems using videoconferencing based on the H.323 standard. H.323 promotes compatibility for videoconferencing over IP networks as well as interoperability in audio, video and data transmissions.

RTSP

• Enable RTSP Transformations - Select this option to support on-demand delivery of real-time data, such as audio and video. RTSP (Real Time Streaming Protocol) is an application-level protocol for control over delivery of data with real-time properties.

Detection Prevention

• Enable Stealth Mode - By default, the SonicWALL responds to incoming connection requests as either "blocked" or "open". If you enable Stealth Mode, your SonicWALL does not respond to blocked inbound connection requests. Stealth Mode makes your SonicWALL essentially invisible to hackers.

• Randomize IP ID - A Randomize IP ID check box is available to prevent hackers using various detection tools from detecting the presence of a SonicWALL appliance. IP packets are given random IP IDs which makes it more difficult for hackers to “fingerprint” the SonicWALL appliance. Use this check box for additional security from hackers.

Network Connection Inactivity Timeout

If a connection to a remote server remains idle for more than five minutes, the SonicWALL closes the connection. Without this timeout, Internet connections could stay open indefinitely, creating potential security holes. You can increase the Inactivity Timeout if applications, such as Telnet and FTP, are frequently disconnected.

FTP

• Force inbound and outbound FTP data connections to use the default port: 20 - The default SonicWALl configuration allows FTP connections from port 20 but remaps outbound traffic to a port such as 1024. If the check box is selected, any FTP data connection through the SonicWALL must come from port 20 or the connection is dropped. The event is then logged as an event on the SonicWALL.

Help Table of Contents