Precedence Rule For Overlapping Filters; Configuration Example 1 For Firewall; Figure 38. Firewall Configuration Example - Allied Telesis AT-AR240E User Manual

AT-AR240E ADSL Router Web Interface Manual
Note that we have already established an ADSL connection, we have defined external and internal
1
interfaces and we have enabled NAT between the interfaces. Also, the Firewall has been enabled, and
a user-defined policy created between Internal and External interfaces.
So, typically, on a User-Defined firewall service, if we are changing default
behaviour, we are allowing certain traffic types in through external and we
are blocking certain traffic types from going out through internal interface

Precedence rule for overlapping filters

If multiple filters are configured on a policy, it is possible that they might
overlap. For example, it is possible to configure:
a filter to allow incoming TCP for ports 12 – 67
o
a filter to block incoming TCP for ports 17-21
o
With a pair of filters like this, it is not immediately obvious what will happen
to an incoming TCP packet to port 18 – will it be allowed or blocked?
To deal with situations like this, it is necessary to have a precedence rule for
choosing between conflicting filters.
The rule is:
The packet will always be treated according to the most specific filter, regardless of the
order in which the filters were added.
So, in the above case, an incoming TCP packet to port 18 will be blocked.

Configuration example 1 for Firewall

Suppose that we want to allow only Web sessions from remote hosts towards
a local web server. Also, suppose that we do not allow access from local hosts
on the LAN interface to remote hosts or remote servers.
Web Server

Figure 38. Firewall configuration example

Using the Web interface this Firewall Service will be created as follows
AT-AR240E
65
Internet
:
1