The Services page displays the Network Access Rules (By Service) table. Rules are sorted from the most specific at the top, to less specific at the bottom of the table. At the bottom of the table is the Any rule. The Any rule is all IP services except those listed in the Services page. Rules can be created to override the behavior of the Any rule; for example, the Any rule allows users on the LAN to access all Internet services, including NNTP News. However, LAN access to NNTP can be unblocked by deselecting LAN Out corresponding to the NNTP News service.
Tip! The LAN In column is not displayed if NAT is enabled.
The Services page allows you to customize Network Access Rules by service. Services displayed in the Services window relate to the rules in the Rules window, so any changes on the Services window appear in the Rules window. The Any rule, at the bottom of the table, encompasses all Services.
Network Access Rules are management tools that allow you to define inbound and outbound access policy, configure user authentication, and enable remote management of the SonicWALL. By default, the SonicWALLs stateful packet inspection allows all communication from the LAN to the Internet, and blocks all traffic to the LAN from the Internet. The following behaviors are defined by the Default stateful inspection packet rule enabled in the SonicWALL:
Allow all sessions originating from the LAN to the WAN and DMZ.
Allow all sessions originating from the DMZ to the WAN.
Allow all sessions originating from the WAN to the DMZ.
Deny all sessions originating from the WAN and DMZ to the LAN.
Additional Network Access Rules can be defined to extend or override the default rules. For example, rules can be created that block certain types of traffic such as IRC from the LAN to the WAN, or allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN, or restrict use of certain protocols such as Telnet to authorized users on the LAN.
The custom rules evaluate network traffic source IP address, destination IP address, IP protocol type, and compare the information to rules created on the SonicWALL. Network Access Rules take precedence, and can override the SonicWALLs stateful packet inspection. For example, a rule that blocks IRC traffic takes precedence over the SonicWALL default setting of allowing this type of traffic.
Alert! The ability to define Network Access Rules is a very powerful tool. Using custom rules can disable firewall protection or block all access to the Internet. Use caution when creating or deleting Network Access Rules.
LAN Out - If the LAN Out check box is selected, you can access that service from your LAN on the Internet. Otherwise, you are blocked from accessing that service. By default, the LAN Out check boxes are selected.
DMZ In (Optional) - If the DMZ In is selected, users on the Internet can access the service on the DMZ. Otherwise, they are blocked from accessing the service on the DMZ. By default, DMZ In is selected.
LAN In - If a LAN In checkbox is enabled, users on the Internet can access all computers on your network for that service. By default, LAN In checkboxes are not enabled. Use caution when enabling a LAN In service.
Alert! If an Alert Icon appears next to a LAN Out, LAN In, or DMZ In check box, a rule in the Rules window modifies that service.
Public LAN Server - A Public LAN Server is a LAN server designated to receive inbound traffic for a specific service, such as Web or e-mail. You can define a Public LAN Server by entering the server's IP address in the Public LAN Server field for the appropriate service. If you do not have a Public LAN Server for a service, enter "0.0.0.0" in the field.
Computers running Microsoft Windows communicate with one another through NetBIOS broadcast packets. By default, the SonicWALL blocks these broadcasts.
If you select From LAN to DMZ, your SonicWALL enables NetBIOS broadcasts from the LAN to the DMZ port to allow LAN users to view computers on the DMZ in their Windows Network Neighborhood.
If you select LAN to WAN, your SonicWALL enables NetBIOS broadcasts from LAN to the WAN port to allow LAN users to view computers on remote networks in their Windows Network Neighborhood.
Select Enable Support if you are having problems using Windows Messenger through the SonicWALL.
Alert! If Enable Support is selected, it may affect the performance of the SonicWALL.
Select Enable Support if you are having problems using videoconferencing based on the H.323 standard. H.323 promotes compatibility for videoconferencing over IP networks as well as interoperability in audio, video and data transmissions.
Enable Stealth Mode - By default, the SonicWALL responds to incoming connection requests as either "blocked" or "open". If you enable Stealth Mode, your SonicWALL does not respond to blocked inbound connection requests. Stealth Mode makes your SonicWALL essentially invisible to hackers.
Randomize IP ID - A Randomize IP ID check box is available to prevent hackers using various detection tools from detecting the presence of a SonicWALL appliance. IP packets are given random IP IDs which makes it more difficult for hackers to fingerprint the SonicWALL appliance. Use this check box for additional security from hackers.
If a connection to a remote server remains idle for more than five minutes, the SonicWALL closes the connection. Without this timeout, Internet connections could stay open indefinitely, creating potential security holes. You can increase the Inactivity Timeout if applications, such as Telnet and FTP, are frequently disconnected.
Help Table of Contents