1. Home
  2. Networking Firewalls
  3. Basic Firewall Question

Basic Firewall Question

Why does the firewall still pass traffic through when the deny rule blocks anything going to the LAN? Here is the background of my confusion:

Before any other rule rule trumping, my firewall allows the LAN to send data to wherever it wants. However, by default the firewall also prevents anything from going to the LAN, with the deny rule processed at a higher priority. Here are the rules:

Allow Default

---------------------------- Source: LAN, * Destination:: *,* Protocol: *,*

Deny Default

---------------------------- Source: *,* Destination, LAN, * Protocol: *

Therefore, I can understand how my client web browser can send a connection request to a web server, but why does the web server response passes through to the client when the deny rule blocks everything. I know that server responses need to get passed back to the client connection. Otherwise the Internet would not work very well. I just want to know what I am misunderstanding about how the router works.

Thanks for your time,

Boyd

Reply to
BoydQuestion
Loading thread data ...

You have two rules:

1) allow LAN and all other sources access to anything using anything

2) disallow all sources access to the LAN and all other destinations using anything.

It would appear your ALLOW rule overrides the deny rule.

Reply to
Leythos

Hi Boyd,

As you quite rightly say, your firewall would be of little use if it blocked absolutely everything from entering your LAN.

In realitly, when you initiate a connection, for example http, your computer will create a request to port 80 on the web server. This will originate from a different port number, typically a port number greater than 1024. Your firewall will see this outbound connection and will hold this port (the high one) open to allow the traffic back in to your network and direct it to the device that started the request. This port will be held open by the firewall until it is no longer needed.

This is an over-simplified precis of the process but I believe it is accurate in essence,

Me.

Reply to
Me

Because the firewall sees the reply from whatever you are connecting to from the LAN as an establised connection. The connection is what is sometimes referred to as being "stateful".

Chris.

Reply to
chris

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.