Sonicwall Firewall Access Rule..

I created a 'firewall access rule' to allow IPP printing between our wireless zone and our LAN zone.

When the rule had Destination: Any the IPP printer could not be added.
any rule
The moment I changed it to Destination: LAN Subnets the printer could be added and users can print.
lansubnets rule
Sure Any includes LAN Subnets?

Just a bit confused...
matedwardsAsked:
Who is Participating?
 
Robert HolmesNetwork EngineerCommented:
Hi Matedwards,

What I have seen with firewalls is the concept of most specific rule overrules least specific rules, this is what could be happening here.

By being more specific in your rule (defining the LAN Subnet as the destination), the firewall will ensure the rule is delivered before any rules that are less specific (ones that have Any as the destination).

This will also depend on what type of zone is set for the WLAN zone. Different zone types in SonicWALL devices have different security levels and this may be affecting the Any destination rule.

As a general rule with developing firewall rules, the more specific or granular the better, it will provide more security and less time troubleshooting access issues.

Please reply if you have any questions or require clarification.
0
 
Ramakrishna PrabhuNetwork EngineerCommented:
Hi, If the printer is on the LAN subnet then it should be the right rule. However you can you be more specific and add a address based rule by adding Printer IP as a address entry.

Hope this helps.
0
 
matedwardsAuthor Commented:
Thanks Ram.. the printer is on the LAN.

But why doesn't 'any' work as a destination as well?
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
masnrockCommented:
That's very dangerous as you even have it defined. As you've set it up, it is generic enough to even imply that parties outside the firewall could set up the printer. If someone opened the IPP port on the firewall and pointed it to any of your printers, you'd get a demonstration of what I mean.

You should have source being whatever the source zone is, and the destination being the specific LAN that has the printers. Allow rules should always be operating off of the idea of least privilege.
0
 
David Johnson, CD, MVPOwnerCommented:
Allow from ANY means anyone, anywhere.. some nefarious person on the internet could print 10,000 copies of a totally black page.  To Anywhere means that it will also print over the internet Again as recommended above, least priviledge
0
 
matedwardsAuthor Commented:
Thanks for the heads up guys.. I shall lock it down for sure.

Just a couple of questions if I could:

1. So LAN Subnets is not part of 'any'?

2. I thought the rule was WLAN zone to LAN zone, so how could this rule apply to anyone on the internet (wan zone)?

Thanks again guys
0
 
masnrockCommented:
Now that you've said that, it makes more sense. I figured that was your intent, but you know what they say about assuming...

Even then, the Any/Any rule would imply any WLAN to any LAN. However, the Sonicwall may have had a rule that is explicitly blocking access ahead of it. Remember with firewalls, the order the rules are processed in are just as important as the rules themselves.

I'd name out the specific WLAN and LAN within the rule you're creating, then it's also obvious to anyone who has to look at the rule set.
1
 
matedwardsAuthor Commented:
Sorry mansrock, I missed your last post.
I will request to split the answer with your last comment and Roberts.
Many thanks to you both.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.