Firewall frustrations

[Deity]

Ah the joys of computers. Where to begin....

I'm running a SonicWall PRO 200 firewall at my corporate office. This firewall connects via VPN to several branch offices around the country. The branch offices are also using SonicWall firewalls (SOHO2, SOHO3, or an older model WebRamp 700s). The way the VPNS connect treats the connection as part of the LAN. This means that each branch can access all systems and servers at corporate. Security is in place, but I'd rather not even let them get to that level. The SonicWalls have an option to "Enable NAT and Firewall Rules" to each VPN. This essentially terminates the VPN at the WAN port rather than the LAN port. All rules are applied to the connection and would then be able to be restricted.

Sounds easy.... oh hell no.

The SonicWall has a default rule, which is uneditable and cannot be turned off, that denies ALL access from the WAN to the LAN. Hmmmmmm. Ok. So I add a simple rule to my firewall to test with:

Allow - Ping - From: x.x.x.1 - x.x.x.254 (WAN) To: y.y.y.123 (LAN)
IPs have been changed to protect the innocent and the ignorant.

Seems like it would work. Nope. Logs show a connection dropped due to Rule 0 (the default deny everything). Ok, so I try to ease up on the restrictions:

Allow - Default (everything) - From: x.x.x.1 - x.x.x.254 (WAN) To: y.y.y.1 - y.y.y.254 (LAN)

Connection dropped. Rule 0. Ok. Step back, take a breath, drink a beer.

So I hop onto SonicWall's site and try to find some answers. The knowledge base tells me all about Rule 0 and how the only way to bypass it is to setup a public service on the firewall, such as a designated Web server associated with an IP and check a box marked LAN In for that service. So I scratch my head a little trying to figure out why I not only have to add a rule to allow the access, but enable this as a service on the device too. But nevermind that! I've got the answer now! Log onto the firewall, hit the Services tab and what to my wondering eyes should appear..... sure as hell not the LAN In checkboxes I was expecting. Time for another beer or three. Now I'm off to SonicWall's support site again to find out about LAN In. Low and behold the LAN In checkboxes are only there if you are not using NAT. Screwed.

I'm still discussing with the CEO about reinstating our support contract with SonicWall, but they are trying to say we need to purchase contracts for each year since the last contract expired. Ok. So you want us to give you money for support in 2002 and 2003 that we never used and obviously never can use?

So now that the rant..er... explanation, is out of the way, here's what I'm looking for:

To setup a VPN between two SonicWall firewalls, PRO 200 on one side, other could be varying models. The systems connecting from the branch to the PRO 200 should be restricted to HTTP and HTTPS protocols on a specific IP. They are to have no other access on the corporate network.

I will accept any and all thoughts, ideas, criticsms, complaints, suggestions, motivations, propositions and humiliations.

[NooNoo]

How about another beer?

[Deity]

How about another beer?

I knew I could count on NooNoo to come up with an excellent suggestion.

[edball]

Is this a new setup or one you already had in place ?

[Deity]

Is this a new setup or one you already had in place ?

This is an existing setup, but I only recently decided to lock the VPN down by forcing the application of the firewall rules.

[silencio]

Get used to adding rules. It's the same way with the Cisco stuff. By default no traffic flows from a less secure (0) to a secure (100) network (DMZ being 50). The only way to allow traffic is to add a rule for every incoming port/type of packet.

Once you figure out the rules though it's not hard to manage. Just remember to put the highest volume of traffic at the top of the list and move down in decending order. The traffic is matched against the list in every instance so, high volume stuff should pass after looking at the first rule. The lowest volume traffic should flow after consulting the last rule in the list.

Here's a quick sample of a pix config. Sounds like smoothwall is setup the same way.

access-list smtp permit tcp any host 68.198.144.195 eq www
access-list smtp permit tcp any host 68.198.144.195 eq smtp
access-list smtp permit tcp any host 68.198.144.195 eq 2121
access-list smtp permit tcp any host 68.198.144.195 eq pop3
access-list smtp permit tcp any host 68.198.144.196 eq www
access-list smtp permit tcp any host 68.198.144.196 eq smtp
access-list smtp permit tcp any host 68.198.144.197 eq www
access-list smtp permit tcp any host 68.198.144.198 eq www
access-list 202 permit tcp host 172.16.10.200 host 192.168.1.20
access-list 202 permit tcp host 172.16.10.201 host 192.168.1.20
access-list 202 permit udp host 172.16.10.201 host 192.168.1.20
access-list 202 permit udp host 172.16.10.200 host 192.168.1.20
access-list 202 permit tcp host 172.16.10.52 host 192.168.1.20
access-list 202 permit tcp host 172.16.10.50 host 192.168.1.20
access-list 202 permit udp host 172.16.10.52 host 192.168.1.20
access-list 202 permit udp host 172.16.10.50 host 192.168.1.20
access-list 202 deny tcp host 172.16.10.200 192.168.1.0 255.255.255.0
access-list 202 deny tcp host 172.16.10.201 192.168.1.0 255.255.255.0
access-list 202 deny tcp host 172.16.10.50 192.168.1.0 255.255.255.0
access-list 202 deny tcp host 172.16.10.52 192.168.1.0 255.255.255.0
access-list 202 permit tcp host 172.16.10.200 any
access-list 202 permit tcp host 172.16.10.201 any
access-list 202 permit udp host 172.16.10.201 any
access-list 202 permit udp host 172.16.10.200 any
access-list 202 permit udp host 172.16.10.50 any
access-list 202 permit tcp host 172.16.10.50 any
access-list 202 permit udp host 172.16.10.52 any
access-list 202 permit udp host 172.16.10.53 any
access-list 202 permit tcp host 172.16.10.52 any
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

[Deity]

I figured much of the same from the start, which is why I'm so frustrated, because it just doesn't want to cooperate. I've added rules to allow the traffic from the necessary IPs in. However, with this firewall, you cannot adjust the rule order. The order is determined by the firewall automatically and cannot be changed. And as you pointed out, the rules are applied top to bottom. Well the default rule of denying everything is right at the top, number 0.

[silencio]

I figured much of the same from the start, which is why I'm so frustrated, because it just doesn't want to cooperate. I've added rules to allow the traffic from the necessary IPs in. However, with this firewall, you cannot adjust the rule order. The order is determined by the firewall automatically and cannot be changed. And as you pointed out, the rules are applied top to bottom. Well the default rule of denying everything is right at the top, number 0.

No way! That sucks. With the pix the order is dependent on when you enter the rule. For example, if I want to place a rule in the middle I have to use the NO command to delete the rules below it. Otherwise it gets added to the end. What I do is just copy all the rules to a text document, do a search and replace to change "access-list bla bla bla" to "no access-list bla bla bla", copy and paste that back into the pix (effectively removing all rules) then modify my text document with the new rule in the order I want it and copy/paste that back in. Is it possible sonicwall may work the same way? ...it seems there must be a way to order it.. As an aside, I think there's a way to change the rule order in the pix now without going through all that but.. old dog new tricks.

[Deity]

No way! That sucks. With the pix the order is dependent on when you enter the rule. For example, if I want to place a rule in the middle I have to use the NO command to delete the rules below it. Otherwise it gets added to the end. What I do is just copy all the rules to a text document, do a search and replace to change "access-list bla bla bla" to "no access-list bla bla bla", copy and paste that back into the pix (effectively removing all rules) then modify my text document with the new rule in the order I want it and copy/paste that back in. Is it possible sonicwall may work the same way? ...it seems there must be a way to order it.. As an aside, I think there's a way to change the rule order in the pix now without going through all that but.. old dog new tricks.

The SonicWall actually uses a GUI interface to input rules. Select allow or deny, choose your protocol/port, choose source IP(s) and destination IP(s) and a few other miscellaneous options. The rules are then automatically ordered based on how specific the rule is. So those generic rules that would say allow all pings from the WAN to the DMZ would be farther down on the list than those that allow a specific IP access to one port for one IP on the LAN. Yet this damn default rule is plastered at the top! It's Friday though. Time for another beer.