The firewall rules are the access control mechanism used by firewalls to safeguard your network from harmful applications and unauthorized access. Firewall rules determine which types of traffic your firewall accepts and which are denied. A collection of firewall rules make up the firewall access policy. They examine the control information in each network packet and block or allow them based on the criteria you establish. First, each package is evaluated from top to bottom, and its components are compared to policy rules components. The configured action of the first rule that matches the packet is then executed, together with all the steps provided in the rule's defined parameters.
In this article, we'll explain the importance of firewall rules in network security, inbound and outbound firewall rules, steps of rule configuration on different firewalls, such as Zenarmor, pfSense, Windows Defender, and Linux iptables, as well as best practices for firewall rule management.
What are the Types of Firewall Rules?
Depending on the sort of security system in place, numerous varieties of firewall rules may be applicable. Among the most prevalent firewall rules are as follows:
Access Rules: These rules allow, block, or reject specific categories of traffic based on the source and destination addresses, protocol, and port number.
Stateful Packet Filtering Rules: Stateful packet filtering rule compares the packet's information to the current connection state and either permits or rejects the packet based on the results.
Circuit-level gateways: These firewalls operate at the session layer 5 of the OSI network model, where connections are established and maintained. Circuit-level gateways are accountable for authenticating incoming TCP and IP packets and permitting or denying traffic based on the rules that have been configured.
Application Level Gateway Rules: Also known as proxy servers, application level gateways serve as intermediaries between the internet and an internal network. Proxy servers operate at the OSI model's application layer 7. They safeguard the internal network by controlling external network access. Administrators of a network can use them to restrict access to specific websites, censor specific categories of content, and limit the devices permitted to access the network.
Network Address Translation (NAT) Rules: NAT protocols translate IP addresses from one network to another, facilitating the transit of network traffic. Additionally, it can be used to protect private networks from external attacks.
Why is the Firewall Rule Important?
When it comes to preventing unwanted access, firewalls are often the first line of defense to be put up. They are essential for obstructing undesired information, assisting in the prevention of dangerous files such as worms, viruses, and malware, and establishing a secure network that protects any device operating inside the environment of that network.
Incorrect setup of the firewall may allow unauthorized access to be gained by attackers to internal networks and resources that are supposed to be secured. As a direct consequence of this, cybercriminals are always searching for networks that do not have enough protection and use software or servers that are out of date. Gartner emphasized the severity and scope of this problem by estimating that 99 percent of firewall breaches in 2020 would be the result of misconfigurations.
When configured to their default settings, the majority of firewalls and protocols do not provide the necessary level of security to keep networks safe from attacks. It is important that businesses make certain that the fundamental setup of their firewalls accommodates the specific requirements of their networks.
Failure to manage firewall rules and modifications properly can lead to major risks, such as the blocking of legitimate traffic, the system failing, and even being hacked.
Even though it is one of the most critical aspects of firewall administration, maintaining your firewall rules continues to be a challenge for a significant number of enterprises. Not only are unwieldy rulesets a technical annoyance, but they also generate business risks. These risks include open ports and needless VPN tunnels, contradicting rules that offer backdoor access points, and an excessive amount of complexity that is not essential. The auditing process, which often entails a review of each rule and its associated business explanation, is made much more difficult by rulesets that are too extensive.
How do Firewall Rules Work?
Each incoming and outgoing data packet is evaluated against the firewall rules by a firewall. Each firewall rule compares packet attributes against a common set of rule components. These rule components, which are presented as fields, include the packet's source address (Source), destination address (Destination), protocol and port numbers (Service), interface via which it travels (Interface), the direction of travel (Direction), and time of arrival (Time).
For instance, assume that a packet entering the firewall has a source address that matches the object specified in the Source field of the rule. The destination address corresponds to the Target domain object, the protocol and port correspond to the Service domain object, and the interface it traverses corresponds to the Interface domain interface object. Actions given in the Action field are carried out by the firewall. A field with the value "Any" or "All" will match all packages for the corresponding rule item.
By default, a rule matches the Source, Destination, and Service rule components supplied, which match all interfaces and traffic directions. If you want to restrict the rule's impact on certain interfaces or traffic characteristics, you must include the limitation in the rule.
Using the Source and Destination rule components, you may match a packet to a rule-based on its source and destination IP addresses.
The service rule item assigns packets depending on the IP service indicated by the packet's protocol and port numbers.
The interface rule element assigns packets based on the firewall interface via which they pass.
The direction rule element corresponds to the direction of a packet as it passes an interface. Three traffic direction choices are available for policy rules:
Inbound: Direction inbound relates to traffic entering a firewall interface.
Outbound: The outbound direction corresponds to traffic that is exiting a firewall interface.
Both: Both directions correspond to traffic entering or exiting the firewall.
On a matching rule in the Source, Destination, Service, Interface, Direction, and Time fields, an action is done. Actions for policy rules may be either Accept or Reject.
What is an Example of a Firewall Rule?
Rulesets for firewalls typically include the source address, the source port, the destination address, the destination port, and an indication of whether or not the traffic should be permitted.
In the given ruleset for a firewall, for instance, the firewall itself is never directly accessible from the public network. If attackers get direct access to the firewall, they will be able to change or remove the rules, which will enable undesirable traffic to pass through.
| Source address | Source port | Destination address | Destination port | Action |
|---|---|---|---|---|
| Any | Any | 10.10.1.1 | Any | Deny |
| 10.10.1.1 | Any | Any | Any | Deny |
In addition, the subsequent example of a ruleset for a firewall will show how all traffic coming from a trustworthy network may leave the system. However, this ruleset needs to be put below the ruleset that was just mentioned since the rules that have the greatest influence on the flow of traffic ought to be sooner on the list.
| Source address | Source port | Destination address | Destination port | Action |
|---|---|---|---|---|
| 10.10.1.0 | Any | Any | Any | Allow |
How to Create a Firewall Rule?
In this section, we will walk you through the steps of defining a security policy rule on some of the most popular types of firewalls.
1. Zenarmor Firewall Rules
Zenarmor is one of the most widely used next-generation firewalls, especially for home networks, schools, and small businesses. Zenarmor's powerful and lightweight engine, flexibility, and portability capabilities also make it a rising star on enterprise networks. It offers a Free Edition with limited features which allows only one policy ruleset, Default, to be defined. While you may set a total of three policies, including the Default policy in Home Edition, SOHO allows you to define up to five policies (Default + 4). Enterprises that need an unlimited number of policy rule sets may prefer the Business Edition. The Web UI makes it simple to create a firewall rule or modify existing rules. You may follow the steps below to add a new rule if you are using the OPNsense firewall:
Navigate to the Zenarmor > Policies on OPNsense Web UI.
Click on the Add New Policy. This will open the Policy Wizard page.
Complete the fields in the Policy Configuration page depending on your requirements.
Figure 1. Policy Configuration4. Click on the Next: Security Rules to proceed to the Security section.
- Enable the Security Rules options.
Figure 2. Policy Wizard Security Configuration6. Click on the Next: App Controls button to proceed to the Application Rules section .
- Block Application categories or Applications as you wish.
Figure 3. Policy Wizard Applications8. Click on the Next: Web Controls button to proceed to the Web Controls section .
- Select one of the predefined Web profiles or define a custom one.
Figure 4. Policy Wizard Web Configuration10. Click on the Next: Exclusions button to proceed to the Exclusions section .
You can define Blacklist & Whitelist Exclusions or just skip this step and click on the Save Changes & Finish.
Figure 5. Blacklist & Whitelist Exclusions
Figure 5. Blacklist & Whitelist ExclusionsYou can easily add or manage Zenarmor policy rule sets on the Zenconsole (Centralized Cloud Management Portal).
2. pfSense software Firewall Rules
In the pfSense software, rules on interface tabs are applied interface-by-interface, always in the incoming direction. This indicates that traffic emanating from the LAN is filtered using the LAN interface rules. The Internet-bound traffic is filtered by the WAN interface rules. Because all rules in pfSense are stateful by default, when traffic meets an allow rule, a state table entry is produced. This state table entry immediately permits all reply traffic.
Floating rules (Floating Rules) are the exception to this rule, since they may operate on any interface utilizing the inbound, outbound, or both directions.
Adding a firewall rule to pfSense software is a straightforward process. You can easily define a rule on your pfSense firewall easily by following the next steps given below:
- Select Rules under the Firewall drop-down menu on the navigation bar.You will be presented with the WAN interface's firewall rules page. As can be seen, the WAN interface already has two rules that prohibit private and bogus networks by default.
tip
The default behavior of the pfSense firewall is to block all traffic unless expressly allowed by a firewall rule. The default allow rules that enable traffic to flow through the firewall are located on the LAN tab.The floating tab is for rules that may influence many interfaces simultaneously. Typically, the normal user will not need any floating rules.
You may switch between the interface's firewall rules by selecting the corresponding tabs.
- To add a firewall rule to an interface, go to the interface and click the Add button. The Add button on the left will add the firewall rule to the top of the firewall list, while the Add button on the right will add the firewall rule to the bottom of the list.
Figure 6. WAN Firewall Rules on pfSense software3. Fill out the fields according to your needs.
info
Action field possibilities include Pass, Block, and Reject. Pass permits traffic to traverse the firewall's interface. Block will discreetly drop incoming traffic, preventing it from traversing the firewall interface. Reject will likewise discard the traffic, but will inform the sender that it was refused.
The Interface field displays all of the interfaces on which the firewall rule may be set.
The Address Family might be IPv4, IPv6, or both IPv4 and IPv6. The majority of networks are still using IPv4, so this will be appropriate in the majority of situations. IPv4+IPv6 may always be the default to cover both IPv4 and IPv6 traffic.
The Protocol specifies the kind of protocol that the communication you want to Pass/Block/Reject employs. TCP and UDP are often the most frequently used choices.
The Source section indicates the origin of the traffic.
The Destination section indicates where traffic is headed.
Figure 7. Defining Firewall Rule on pfSense software
Description: It is usually a good idea to provide an explanation of what each firewall rule performs so that you can easily go back to it.
- Click Save to save the rule.
Figure 8. Saving Firewall Rule on pfSense software5. Click the Apply Changes button to activate the changes.
Figure 9. Applying Firewall Rule Changes on pfSense software
3. Windows Firewall Rules
To permit incoming network traffic on a certain TCP or UDP port number, create firewall rules using the Windows Defender Firewall with Advanced Security node. This sort of rule permits any software that is listening on a particular TCP or UDP port to receive network traffic transmitted to that port.
warning
You must be a member of the Domain Administrators group or have been given authority to alter the GPOs in order to accomplish these steps.
To configure an incoming port rule on Windows 10/11, Windows Server 2016 and above,
Follow the instructions given below:
- Open Windows Defender Firewall with Advanced Security.
- To access Inbound Rules, click Inbound Rules in the navigation pane.
- Click Action, followed by New rule.
Figure 10. Adding Inbound Firewall Rule on Windows 104. Click Custom on the Rule Type page of the New Inbound Rule Wizard, then click Next.
note
Although you may construct rules by choosing Program or Port, the number of pages provided by the wizard is restricted by these options. If you choose Custom, you will view all pages and have the greatest amount of flexibility when setting your rules.
- On the Program page, choose All programs followed by Next.
note
This rule type is often used with program or service rules. Combining the rule types results in a firewall rule that restricts traffic to a specific port and only permits it when the specified application is active. Other applications cannot receive network traffic on the given port, nor can the specified program receive network traffic on other ports. Follow the steps in the Construct an Inbound Program or Service Rule procedure in addition to these steps to create a single rule that filters network traffic based on both program and port criteria.
Figure 11. Adding Inbound Firewall Rule for All Programs on Windows 10
- Select the protocol type you want to allow on the Protocol and Ports page. To limit the rule to a certain port number, either TCP or UDP must be selected. Because this is an incoming rule, only the local port number is normally configured.If you pick a different protocol, the firewall will only let packets whose protocol field in the IP header matches this rule.
Figure 12. Defining Protocol and Ports for Inbound Firewall Rule on Windows 10
- To pick a protocol based on its number, select Custom from the list, then enter the number in the Protocol number box.
- Click Next after you have set the protocols and ports.
- On the Scope tab, you may indicate that the rule only applies to network traffic to or from the specified IP addresses. Configure according to your design specifications, and then click Next.
Figure 13. Defining Scope(Local/Remote IPs) for Inbound Firewall Rule on Windows 10
- Select Allow the connection on the Action screen, and then click Next.
Figure 14. Defining Action for Inbound Firewall Rule on Windows 1011. Select the network location types to which this rule applies on the Profile screen, then click Next.
Figure 15. Defining Profile for Inbound Firewall Rule on Windows 10
Consider updating the rules to apply to all network location type profiles if this GPO is intended for server PCs running Windows Server 2008 that never move. This avoids an unexpected change in the applicable rules if the network location type changes as a result of the installation of a new network card or the detachment of the cable from an existing network card. A disconnected network card is allocated to the public network location type automatically.12. On the Name page, give your rule a name and description, and then click Finish.
Figure 16. Defining Name for Inbound Firewall Rule on Windows 10
Windows Defender Firewall permits all outgoing network traffic by default, unless it fits a rule that forbids the traffic. Create firewall rules using the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to prevent outbound network traffic on a given TCP or UDP port number. This sort of rule prevents all outgoing network traffic matching the given TCP or UDP port numbers.
To establish a rule for an outgoing port on Windows 10/11, Windows Server 2016 and above you may follow the instructions given below:
- Open Windows Defender Firewall with Advanced Security.
- To access Outbound Rules, click Outbound Rules in the navigation pane.
- Click Action, followed by New rule.
- Click Custom on the Rule Type screen of the New Outbound Rule wizard, then click Next.
Figure 17. Defining Outbound Firewall Rule on Windows 10
- On the Program page, choose All programs followed by Next.Select the protocol type you want to block on the Protocol and Ports page. To limit the rule to a certain port number, either TCP or UDP must be selected. Because this is an outgoing rule, just the remote port number is normally configured.If you pick a different protocol, Windows Defender Firewall will only block packets whose protocol field in the IP header matches this rule. Protocol-related network communication is permitted as long as other matching regulations do not prohibit it.
Figure 18. Defining Programs for Outbound Firewall Rule on Windows 106. To pick a protocol based on its number, select Custom from the list, then enter the number in the Protocol number box.
Figure 19. Defining Protocol and Ports for Outbound Firewall Rule on Windows 10
- Click Next after you have set the protocols and ports.
- On the Scope tab, you may indicate that the rule only applies to network traffic to or from the specified IP addresses. Configure according to your design specifications, and then click Next.
Figure 20. Defining Scope(Local/Remote IPs) for Outbound Firewall Rule on Windows 10
- Select Block the connection from the Actions window, then click Next.
Figure 21. Defining Action for Outbound Firewall Rule on Windows 10
- Select the network location types to which this rule applies on the Profile screen, then click Next.
Figure 22. Defining Profile for Outbound Firewall Rule on Windows 10
- On the Name page, give your rule a name and description, and then click Finish.
Figure 23. Defining Name for Outbound Firewall Rule on Windows 10
4. Linux Firewall Rules
Iptables is a well-known software and one of the best open-source firewall. It grants the ability to set up and analyze network information to a system administrator. When it comes to protecting their servers, experienced Linux administrators often turn to the use of this firewall software since it is terminal-based, very effective, and highly flexible.
In this case, let's only let the SSH connection come into the Linux server. Every other connection will be dropped by the iptables firewall.
Delete all the existing firewall rules temporarily and allow the firewall to accept everything by running the next command:
iptables --flushnote
To save current iptables to the
/etc/sysconfig/iptablesfile for permanent use run the following command:service iptables saveTo allow only the incoming SSH connection to the Linux server run the next command:
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPTnote
The above iptables command is made up of the four parts below.
-A INPUT: It means that we are adding a new rule to the chain of INPUT rules. So, this rule is for traffic that is coming in.-i eth0: It checks this rule against all packets that come in through the interface eth0.-p tcp -dport 22: This rule applies to TCP packets. This has one tcp option called-dport 22this tells the server that this rule's destination port is 22.-j ACCEPT: It means "jump to accept," which just accepts the packet.To drop all incoming packets by running the following command:
iptables -A INPUT -j DROPTo view the current iptables firewall rules, run the next command:
iptables -LYou should see the output similar to the below:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere
What is Firewall Rules Order?
Firewall rules are applied from the top down, which means that the firewall begins with the first rule created and continues through the entire sequence in the order of creation. The SANS Institute's firewall protocol recommends creating and configuring firewall rules in the following order:
- Anti-spoofing rules: Anti-spoofing filters for blocked private and internal addresses that appear to be external.
- User access rules: User authorization criteria, such as "allow HTTP to the public web server."
- Management access rules: Management permit rules, for instance "SNMP traps a network management server."
- Noise drops: Such as, "discard OSPF and HSRP chatter".
- Deny and alert: Deny and alert, to notify system administrators of anomalous traffic.
- Deny and log: Deny and log remaining traffic to log remaining traffic.
What Four Rules Must Be Set For Packet Filtering Firewalls?
A layer 4 firewall employs the following access rule parameters:
Source IP address(es)
Destination IP address(es)
Destination port(s)
Protocol (TCP, ICMP, or UDP, etc.)
What Are the Inbound And Outbound Rules?
The inbound firewall rules describe the types of traffic that is permitted to enter the network, as well as the ports that it may come from and the sources of that traffic. If there are no inbound rules specified, then there will be no incoming traffic allowed. The network is protected against unauthorized connections, malicious software, and denial-of-service (DoS) assaults thanks to the inbound firewall rules.
The outbound firewall rules describe the types of traffic that is permitted to leave the network, as well as the ports it may go through and the locations it can go to. In the event that no outbound rules are defined, there will be no outgoing traffic allowed.
Where Should The Most Frequently Accessed Rules Be Placed In The Firewall Rule Base?
The firewall rule base needs to have its most stringent restrictions positioned highest on the list. This is the first point in the process when traffic is matched. In most rule bases, the action is carried out beginning with the rule that is located at the beginning of the list. This is done to guarantee that the traffic that is permitted by the first rule will never be subjected to the limits imposed by the other rules.
The Firewall Checklist maintained by the SANS Institute makes the following recommendation on the sequence in which firewall rules should be applied:
Anti-spoofing filters (blocked private addresses, internal addresses appearing from the outside)
User permit rules (e.g. allowing HTTP to a public web server)
Management permit rules (e.g. SNMP traps to network management server)
Noise drops (e.g. discard OSPF and HSRP chatter)
Deny and Alert (alert systems administrator about traffic that is suspicious)
Deny and log (log remaining traffic for analysis)
How Do I Check Firewall Rules?
To check firewall rules on your Windows 10 PC, you can follow the steps below:
- Type "firewall" into the search bar. This will automatically search your Windows 10 PC for applications matching your typing.
Figure 24. Searching & Launching Windows Defender Firewall2. Click the "Windows Defender Firewall" option.
Figure 25. Viewing Windows Defender Firewall3. Review your firewall settings. You should notice two sections labeled "Guest or public networks" and "Private networks" with green shields to the left of them, which indicates that your firewall is functioning. When you click on one of these areas, a drop-down menu will appear with information about the public or private network you are currently connected to.4. Click the "Advanced Settings" option. This is located to the left of the main menu; selecting it will reveal the advanced settings menu for your firewall. From this menu, you will be able to see or make changes to the following:
- "Inbound Rules" are the rules that determine which inbound connections are always authorized.
- "Outbound Rules" refers to the connections that are automatically permitted to leave the network.
- "Connection Security Rules" are the guidelines that your computer follows to determine which connections it will accept and which connections it will ban.
- "Monitoring" provides an overview of the fundamental monitoring rules for your firewall.
Figure 26. Windows Defender Firewall Advanced Settings5. You have done a successful check of the settings for the firewall on your own Windows 10 computer
tip
Keep in mind that you can also click "Turn Windows Firewall on or off" in the same menu as Advanced Settings. If you are connected to a public network, you should be careful about turning off your firewall.
What are Best Practices for Firewall Rules?
When constructing a firewall, you should adhere to the principle of least privileges, which entails prohibiting everything not utilized for a specific and permitted business purpose. The least privilege reduces risk, provides more control over network traffic, and inhibits cross-network communication.
When changing the configuration of a firewall, it is essential to evaluate possible security threats to prevent future problems. Depending on the manufacturer and model of your firewall, as well as whether you're employing hardware-based or software-based solutions, the particular methods for modifying your firewall settings may vary. However, regardless of the firewall technology you choose, the following tips will help you enhance the efficacy of your firewall.
- Document your firewall's specifications: Any member of your network security team should be able to immediately determine from your documentation what each of your firewall rules is intended to achieve. You must at least keep track of the following information:
- Function of firewall rule
- Services impacted
- User accounts and devices
- The date the rule was introduced
- If the rule is temporary, the date it will expire
- The name of the rule's inventorSimilarly, you may use categories or section headings to aggregate comparable rules. You can then find the optimal order for your rules.As you begin to optimize and fine-tune your firewall rules, you should evaluate the current ones and ensure that you have the proper documentation for each.
- Create a method for firewall configuration changes: If you do not currently have a formal change management strategy in place, you should build one prior to making any modifications to your existing firewall rules. These stages may be included in a standard modification procedure:
- A change request technique for requesting firewall configuration modifications by business users.
- A mechanism for keeping track of the modifications made.
- A method for guaranteeing that any changes to firewall rules have the desired effect.
- A deployment procedure to take the newly tested rule into production.
- A procedure in which the firewall team assesses the risk and chooses the optimal course of action to strike a balance between the demands of business users and their security requirements.
- A procedure to confirm new firewall settings is functioning as planned.It may be tempting to make changes informally if your security team is tiny. However, rigorous monitoring of the modification process will aid in preventing security interruptions caused by a poorly configured firewall.
- Employ minimum privilege policies: Make firewall rules as stringent as feasible in terms of matching criteria and traffic authorization. For instance, you could just allow your organization's policy and block all other traffic. This is true for both entrance and egress traffic, that is, traffic from the Internet to internal sources and traffic from internal sources to the Internet. The least privileged security strategy reduces the attack surface, increasing the effectiveness of additional safeguards.
To effectively manage the quantity and variety of firewalls, it is advised to keep them as minimal as feasible. In addition, it is advisable to standardize your firewall rules based on the risk factor. You can do this using central administration and monitoring systems.4. Observe network traffic with Monitoring Mode: Using IP addresses and ports, monitor the present traffic and ensure that they are necessary. If you are replacing a firewall, you may identify this by setting a propagation port or by reviewing old firewall logs. Compile a list of source IP, destination IP, and destination port and begin categorizing them to facilitate the construction of firewall rules.5. Avoid using any/any rule: Create the initial incoming and outbound firewall rule with a Deny all policy, and process it last. This firewall rule, often known as "Explicit Deny", guarantees that any rules produced after first rejections are appropriate for their intended purpose.6. Be explicit and intentional when it comes to establishing regulations: Whenever feasible, establish distinct groupings of IPs and ports that make sense. Grouping allows you to build a set of firewall rules and, in most circ*mstances, to add and delete specific components by using groups.Your network access restrictions should be as specific as feasible. This technique adheres to the principle of least privilege (POLP) and controls network traffic. Include as many parameters as possible inside the rules.Include as many parameters as possible in the rule which determines network access. Unfortunately, there are few instances in which any of these might be useful.7. Whenever feasible, use an address and a service set: Address sets facilitate the administration of firewall rules. A security strategy permits the comprehensive grouping of things into a single entity. Because most businesses have logical elements that may be grouped, the more rules you can apply to address sets, the simpler it will be to make modifications.
Utilize single prefixes for both source and destination addresses. Instead of utilizing /32 addresses and individually adding each address, construct a large subnet that contains the majority of the required IP addresses. Utilize fewer IPv6 addresses since they need more RAM.
With service sets, firewall policies may be controlled more effectively. They allow you to handle large groupings of objects as a single entity under a security policy. Utilize "any" service as much as possible. Each time a policy service is defined, extra RAM might be allocated.8. Use Drop Rules: Place any drop rule inside the context of each security zone, in addition to a general policy, to prevent unwanted traffic from penetrating a security policy. This does not negate the need to set your firewall rules; it just offers a means to collect unclassified traffic.
It is prudent to block all incoming network traffic by default. Significantly, you should restrict access to a subset of known services to just a subset of traffic. Consequently, you acquire power over who may access your network.9. Secure the Periphery: Never provide direct Internet access to remote management. Whenever feasible, identify IP addresses and employ centralized authentication with multi-factor authentication (MFA). Regularly examine your public IP addresses.10. Regularly review the firewall rules: Your network and firewall rules are in a perpetual state of evolution. You are adding new users and devices to your network. These people and gadgets access new applications and services. Also, applications and devices that formerly comprised a significant portion of network traffic may become much less prevalent over time.
All of these modifications may require the addition of new firewall rules or the deletion of redundant firewall rules. However, your firewalls are essential for a reactive strategy. it is advised to set up a regular firewall audit program so that proactive modifications may be made.11. Remove redundant or incompatible firewall rules: As you update your documentation and check your list of firewall rules, you may discover that numerous rules perform the same function. Therefore, it is feasible to accelerate your network by deleting or merging several ineffective rules.Similarly, you may find that some of your rules are never enforced since none of your traffic meets the rules' precise requirements. Consider if the regulation is essential once again. If not, removing it may result in performance gains.12. Examine the firewall log: Every firewall has built-in reporting capabilities that give information on your traffic. Another firewall recommendation is to frequently analyze these logs for any changes or abnormalities that may suggest your firewall settings need to be modified.
This log data will be an essential resource for determining which firewall rules are used most often and which are not. Both sorts of data are necessary for improving a firewall.
Log data may help detect traffic "false positives" that should not activate security safeguards but do. Changing your firewall's rules may assist in reducing these false positives and enhancing end-user service.13. Ports You Should Block: For individuals seeking a list of ports to restrict, the SANS Institute suggests blocking at least outbound traffic on the following ports:Simple File Transfer Protocol MS RPC TCP, UDP Port 135 NetBIOS/IP TCP, UDP Ports 137-139 SMB/IP TCP, Port 445 (TFTP) UDP Port 69 Log System Simple Network management protocol (SNMP) (SNMP) Internet Relay Chat UDP Ports 161-162 (IRC) TCP Port Numbers 6660-6669
We provide instances of risky firewall rules, as well as a few recommended alternatives to consider when designing firewall rules:
permit ip any any: Allows all traffic from any source to any destination on any port. This is the worst access control rule possible. It defies both the security idea of by default refusing traffic and the principle of least privilege. The target port must always be supplied, and the destination IP address should be included if possible. Unless the application is designed to accept Internet clients, such as a web server, the source IP address must be given. A suitable rule would be topermit tcp any WEB-SERVER1 http.permit ip any WEB-SERVER1 any: Allows any traffic from any source to access a web server. Only specified ports should be permitted; for a web server, ports 80 (HTTP) and 443 (HTTPS) should be permitted (HTTPS). Otherwise, the server's administration is susceptible. A suitable rule would bepermit ip any WEB-SERVER1 http.permit tcp any WEB-SERVER1 3389: Allows RDP access to the webserver from any source. Allowing access to your management ports to anybody is a risky habit. Specify who may access the server administration. The optimal rule would be Permit tcp 11.22.33.44 WEB-SERVER1 3389 , where 11.22.33.44 is the Internet IP address of the administrator's PC.DB-SERVER1 3306: Allows access to the MySQL database from any source. Never expose database servers to the whole of the Internet. Specify the actual source IP address if you want database queries to execute over the Internet. Permit tcp 11.11.33.33 DB-SERVER1 3306 is a recommended rule (where 11.11.33.33 is the IP address of the host on the Internet that needs access to the database). A recommended practice would be to route database traffic through a VPN instead of the public Internet in plain text.
