Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Sonicwall Firewall Access Rule..

Posted on 2016-11-24
8
Medium Priority
?
41 Views
Last Modified: 2016-11-30
I created a 'firewall access rule' to allow IPP printing between our wireless zone and our LAN zone.

When the rule had Destination: Any the IPP printer could not be added.
any rule
The moment I changed it to Destination: LAN Subnets the printer could be added and users can print.
lansubnets rule
Sure Any includes LAN Subnets?

Just a bit confused...
0
Comment
Question by:matedwards
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 41900609
Hi, If the printer is on the LAN subnet then it should be the right rule. However you can you be more specific and add a address based rule by adding Printer IP as a address entry.

Hope this helps.
0
 

Author Comment

by:matedwards
ID: 41900699
Thanks Ram.. the printer is on the LAN.

But why doesn't 'any' work as a destination as well?
0
 
LVL 31

Expert Comment

by:masnrock
ID: 41905939
That's very dangerous as you even have it defined. As you've set it up, it is generic enough to even imply that parties outside the firewall could set up the printer. If someone opened the IPP port on the firewall and pointed it to any of your printers, you'd get a demonstration of what I mean.

You should have source being whatever the source zone is, and the destination being the specific LAN that has the printers. Allow rules should always be operating off of the idea of least privilege.
0
Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 41906313
Allow from ANY means anyone, anywhere.. some nefarious person on the internet could print 10,000 copies of a totally black page.  To Anywhere means that it will also print over the internet Again as recommended above, least priviledge
0
 

Author Comment

by:matedwards
ID: 41907116
Thanks for the heads up guys.. I shall lock it down for sure.

Just a couple of questions if I could:

1. So LAN Subnets is not part of 'any'?

2. I thought the rule was WLAN zone to LAN zone, so how could this rule apply to anyone on the internet (wan zone)?

Thanks again guys
0
 
LVL 31

Expert Comment

by:masnrock
ID: 41907240
Now that you've said that, it makes more sense. I figured that was your intent, but you know what they say about assuming...

Even then, the Any/Any rule would imply any WLAN to any LAN. However, the Sonicwall may have had a rule that is explicitly blocking access ahead of it. Remember with firewalls, the order the rules are processed in are just as important as the rules themselves.

I'd name out the specific WLAN and LAN within the rule you're creating, then it's also obvious to anyone who has to look at the rule set.
1
 
LVL 2

Accepted Solution

by:
Robert Holmes earned 2000 total points
ID: 41908030
Hi Matedwards,

What I have seen with firewalls is the concept of most specific rule overrules least specific rules, this is what could be happening here.

By being more specific in your rule (defining the LAN Subnet as the destination), the firewall will ensure the rule is delivered before any rules that are less specific (ones that have Any as the destination).

This will also depend on what type of zone is set for the WLAN zone. Different zone types in SonicWALL devices have different security levels and this may be affecting the Any destination rule.

As a general rule with developing firewall rules, the more specific or granular the better, it will provide more security and less time troubleshooting access issues.

Please reply if you have any questions or require clarification.
0
 

Author Comment

by:matedwards
ID: 41908264
Sorry mansrock, I missed your last post.
I will request to split the answer with your last comment and Roberts.
Many thanks to you both.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
What we learned in Webroot's webinar on multi-vector protection.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question