Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 16497 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

is a deny any any any rule needed as last rule or not?

Mark Anderson1

Hi,

 

i wonder if i need a deny any any any rule at the end of my firewall ruleset.

 

There was none when i installed the XG and it seems it does not log dropped packets without it.

 

is it possible to lock myself out via browser with this rule?

 

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

     

    I would not recommend creation this rule!

    Sophos Firewalls go through every firewall-rule starting with the top position until the last manual rule.

     

    Every packet, that does not match any created rule will be dropped by default.

     

    So if you create a rule that says: Any to any using any : drop, it will only allow specified traffic. If you do not have a rule to get you access to your firewall, you will be locked out.

     

    Summary: Do not create such rule. You can however drop anything coming from or to a specific network, as this will give you more control on what you want to achieve.

     

    I hope you understood my german-english ;)

     

    Regards,

     

    Ole

Reply
  • 0

    Hi,

     

    I would not recommend creation this rule!

    Sophos Firewalls go through every firewall-rule starting with the top position until the last manual rule.

     

    Every packet, that does not match any created rule will be dropped by default.

     

    So if you create a rule that says: Any to any using any : drop, it will only allow specified traffic. If you do not have a rule to get you access to your firewall, you will be locked out.

     

    Summary: Do not create such rule. You can however drop anything coming from or to a specific network, as this will give you more control on what you want to achieve.

     

    I hope you understood my german-english ;)

     

    Regards,

     

    Ole

Children
  • 0 in reply to Ole Heydt

    hi ole,

     

    i have rules like LAN to WAN above the drop all rule.

     

    what i mean is lockout from the admin GUI over the browser in the LAN zone, can this happen because of a firewall rule?

     

     

    Should the access to this not be managed by the local ACL Services LAN and the HTTPS checkbox.

     

    Thanks

  • 0 in reply to Mark Anderson1

    Its personal preference. I got used to adding a deny rule at the bottom when v15 came out because of missing logging and I still use it. I only use it for internal (lan>wan etc) traffic and reject the traffic instead of dropping it so my internal clients don't have to wait on the timeout of a dropped connection.

    There is no wrong or right way, if you think you are missing logging, use the deny/reject rule.

  • 0 in reply to Billybob

    I think it is not necessary just because if you remove all rules, you can do nothing with the firewall, so I believe that if a package does not match any rule it is dropped.

  • 0 in reply to Fernando Durso

    how do you guys without such a rule troubleshoot network issues when the xg shows no dropped/rejected packets without a rule at the bottom which denies any any any and has logging activated?

     

    i tested this today with a xg home edition, and for a fact it shows only dropped packets when such a rules exists, and it's not there by default.

     

    Do i miss something or is there another way to see dropped/rejected packets? 

  • 0 in reply to Mark Anderson1

    I´m not sure, but I thik when a package does not match any rule, it is dropped in rule with ID=0 and it appears at firewall log