Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 8031 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall - Overriding Trusted LANs with Application Rules

MPGTucker

I am attempting to block a specific application (developed internally) from accessing an internal server on our local LAN. The problem is, I need all other applications to be able to access this server for other services, and need everything else in the IP range to be trusted. When I created the application rules with the range still trusted, the trusted status of the range ends up overriding the application rule and allowing the application to communicate.

I know this is a stupid question, because we're kind of in a stupid situation thanks to this application, but is it possible for the application rule to override the LAN rule? If not, is it possible to create exceptions in the LAN rule for a spcific IP I do not want to trust?

:58002


This thread was automatically locked due to age.
Parents
  • 0

    Hello MPGTucker,

    ends up overriding the application rule

    the order of rules is clearly documented so this the expected behaviour. And obviously (all traffic [...] is allowed with no further checks) you can't override the LAN.

    create exceptions in the LAN rule

    the LAN tab is for "fast-allow", if any box is checked a matching connection attempt is allowed - otherwise the rest of the rules is processed. Furthermore there is, AFAIK, no relevance applied to the order (I assume the address/range definitions are merged with the most permissive setting retained). No dice.

    You don't have to use LAN at all (of course then you also can't use Block file and printer sharing for other networks). This would (with a slight performance penalty) defer the decision to the application rules. In addition consider global rules: They are ordered, they allow to specify ports, and they give you the option to block a connection. Normal priority global rules are applied when the connection has not yet been handled by an application rule. If the specific application (developed internally) uses a  specific port (but guess this is not the case, otherwise you could handle this on the server) you can even use a high-priority global rule.

    You aren't using checksums, are you?

    Christian

    :58006
Reply
  • 0

    Hello MPGTucker,

    ends up overriding the application rule

    the order of rules is clearly documented so this the expected behaviour. And obviously (all traffic [...] is allowed with no further checks) you can't override the LAN.

    create exceptions in the LAN rule

    the LAN tab is for "fast-allow", if any box is checked a matching connection attempt is allowed - otherwise the rest of the rules is processed. Furthermore there is, AFAIK, no relevance applied to the order (I assume the address/range definitions are merged with the most permissive setting retained). No dice.

    You don't have to use LAN at all (of course then you also can't use Block file and printer sharing for other networks). This would (with a slight performance penalty) defer the decision to the application rules. In addition consider global rules: They are ordered, they allow to specify ports, and they give you the option to block a connection. Normal priority global rules are applied when the connection has not yet been handled by an application rule. If the specific application (developed internally) uses a  specific port (but guess this is not the case, otherwise you could handle this on the server) you can even use a high-priority global rule.

    You aren't using checksums, are you?

    Christian

    :58006
Children
No Data