Skip to end of metadata
Go to start of metadata


Description:

This article describes best practices for creating firewall rules on LANCOM routers with LCOS.


Recommendations:

1) Specify only the destination port in a firewall rule: 

Since network communications generally use random source ports (with a few exceptions, e.g. IPsec), only one protocol/target service may be specified in a firewall rule. The protocol/source service must be left in the default setting all protocols/source services. Otherwise the rule will not be applied. 



2) Collect IP addresses into a single IP address range:

It is generally advisable to group several IP addresses into a range of IP addresses, rather than specifying them individually. 



3) Separate incoming and outgoing data traffic into different firewall rules:

The firewall divides individual rules into filters. Any combination of connection source, connection destination, source service and destination service represents a filter. When a new session is set up, the filters are run through until a suitable filter is found. The more filters that have to be run through, the more performance is required. When creating rules, care should be taken to ensure that as few filters as possible are used (both within a rule and in general). 

The number of filters results from the number of possible combinations of station objects multiplied by the number of protocols.

The total number of filters can be viewed using the console command ls Status/IP-Router/Filter. The filters themselves can be invoked by using the show filter command.

In installations with a large number of filters, invoking the show filter command leads to an abrupt restart of the router. Therefore, in such a scenario, the total number of filters should first be checked and the firewall rules optimized.


Example:

For HTTP and HTTPS over a VPN connection, communication should be allowed in both directions. The second solution below is preferred because fewer filters are generated.

  • A single firewall rule is created for the communication in both directions (source and destination are the same).
    • In the firewall rule there are 4 possible combinations of station objects.
    • 2 protocols are allowed (HTTP and HTTPS).
    • This results in 4 x 2 = 8 filters.

  • Two firewall rules are created and the incoming and outgoing communications are handled separately.
    • For each firewall rule there is just 1 possible combination of station objects.
    • 2 protocols are allowed (HTTP and HTTPS).
    • This results in 1 x 2 filters per firewall rule, i.e. 4 filters in total.

 



4) Prioritization of firewall rules:

The firewall rule table is run through from top to bottom until a rule takes effect. Basically, the firewall sorts the rules into the appropriate order. 


In some cases, it may be necessary to adjust the prioritization of a rule. Two examples are described below:

Content filter rule:

The rule for the content filter must take effect first, so this is given the priority 9999.

Overview of the firewall rule table:



Preventing a VPN connection to the VPN responder:

If a VPN connection disconnects and the VPN responder side attempts to initiate access to resources in the VPN network, the router will try to set up the VPN connection. However, if the router has no information about a gateway IP address on the remote side (e.g. with a dynamic IKEv2 connection using identities), the VPN re-connect will fail.

This can be prevented by creating a firewall rule that blocks data traffic to a network accessed via VPN if there is no VPN connection in place (DENY-VPN-NOT-CONNECTED). This must have a higher priority than the other firewall rules so that it takes effect first.

Additionally, the special treatment of DNS packets requires the creation of another firewall rule for DNS that is prioritized higher than the DENY-VPN-NOT-CONNECTED rule.

 

Overview of the firewall rule table:



5) Only in exceptional cases should fragmentation and PMTU reduction for QoS rules be enabled:

The options Fragmentation and PMTU reduction in QoS rules (under Note for users of Internet connections with low bandwidth) should only be activated in exceptional cases.

Enabling these options affects all packets from the Internet peers that the rule applies to. This can cause slow transmission speeds and even application disconnects.



6) Do not create VPN rules in the firewall:

In very old versions of LCOS, VPN rules still had to be created in the firewall by selecting the option This rule is used to create VPN network relationships (SAs) instead of the option This rule is active for the firewall. However, this does nothing for clarity and may inadvertently create VPN network relationships (SAs). Furthermore, the VPN rules belong to the VPN and not to the firewall.

As of LCOS 9.24, VPN rules can be created in the menu VPN → General → Network rules. LANCOM Systems therefore recommends that VPN rules should be maintained in this menu instead of in the firewall.

If a VPN rule is created in the firewall, ensure that the options This rule is active for the firewall and This rule is used to create VPN network relationships (SAs) are not enabled in a rule at the same time. A rule is either a firewall rule or a VPN rule, but never both.