DLink DI-604 - What is the real priority order of its firewall rules?

[*Vanguard*]

When you first get the DI-604 router, or after resetting it, the
following 2 firewall rules are defined:

_Default Rule 1: (highest priority)_
Action = Deny
Name = Default
Source = *,* (all LAN- and WAN-side hosts, any IP address)
Destination = LAN,* (all LAN-side hosts, any IP address)
Protocol = IP (0), * (TCP, UDP, ICMP on all ports)
Effect: LAN-LAN and WAN-LAN connections are denied. No local host
can get to another local host and no external host can get to a local
host.

_Default Rule 2: (lowest priority)_
Action = Allow
Name = Default
Source = LAN,* (all LAN-side hosts, any IP address)
Destination = *,* (all LAN- and WAN-side hosts, any IP address)
Effect: LAN-LAN and LAN-WAN connections are allowed. Local hosts
can connect with each other and local hosts can connect to the Internet.

According to the manual, rules are defined top-down as highest to lowest
priority. Well, that would mean the Deny rule would prevent any
LAN-side host from connecting to the router, especially to open its web
page to do configuration. Default rule 1 blocks any LAN-LAN connections
for the local hosts of which the router is one, yet I know I can connect
to the router. Maybe the router excludes itself from the firewall
rules, and which would make it impossible to really know the priority
ordering of these rules (until I get another host).

Rule 1 = denies LAN-LAN and WAN-LAN connections.
Rule 2 = allows LAN-LAN and LAN-WAN connections.

If the priority is top-down from highest to lowest, the "deny LAN-LAN"
in rule 1 overrides the "allow LAN-LAN" in rule 2, and effectively you
end up with only "allow LAN-WAN". With "deny LAN-LAN" in rule 1 as
highest priority, none of your local hosts can talk to each other. Why
would default rule 2 even bother to allow LAN-LAN connections if they
were going to get denied by default rule 1? Is the default behavior of
[this] NAT router to isolate the local hosts from each other?

If the priority was top-down from lowest to highest, the "allow LAN-LAN"
in rule 2 overrides the "deny LAN-LAN" in rule 1, and effectively you
get both "allow LAN-LAN" and "LAN-WAN" connections. Your local hosts
can talk to each other and they can connect to the Internet. But why
bother to deny LAN-LAN connections in rule 1 if they are going to get
allowed in rule 2? Wouldn't this be the expected behavior of a NAT
router so your intranetwork of local hosts can talk to each other? I
would've thought the default behavior was that you slide in the router
and all your local hosts can communicate with each other just like if
you had used a switch or hub instead of a router. This would mean the
manual is wrong and the real order of priority is from lowest to highest
in top-down order of the list.

Since these default rules are always forced to be at the bottom of the
rules list, I really am not sure about the priority for the user-defined
rules. Could be the default rules really are at the bottom of the list
in regards to their priority. Could be they get exercised before the
user-defined rules (so they are effectively at the top of the list and
are just shown at the bottom).

For anyone using the DLink DI-604 NAT router and who has more than one
host on their intranetwork, can you test using only the default rules
(or temporarily disabling your other user-defined rules so only the two
default rules are enabled) to see if your hosts will communicate or not?
I need to know because I will be defining some user-defined firewall
rules and I really need to know the actualy priority order for them in
the list. Thanks in advance.

 

[Richard G. Harper]

I think you're confusing "priority" with "exclusivity". The first rule is
indeed taking priority and saying, "block all traffic". But the second rule
then modifies the first by creating a hole where traffic from the LAN is
permitted to pass through. Each rule is applied to the router in the order
specified so that lower instructions may modify the earlier ones to allow
limited exceptions.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

When you first get the DI-604 router, or after resetting it, the
following 2 firewall rules are defined:

_Default Rule 1: (highest priority)_
Action = Deny
Name = Default
Source = *,* (all LAN- and WAN-side hosts, any IP address)
Destination = LAN,* (all LAN-side hosts, any IP address)
Protocol = IP (0), * (TCP, UDP, ICMP on all ports)
Effect: LAN-LAN and WAN-LAN connections are denied. No local host
can get to another local host and no external host can get to a local
host.

_Default Rule 2: (lowest priority)_
Action = Allow
Name = Default
Source = LAN,* (all LAN-side hosts, any IP address)
Destination = *,* (all LAN- and WAN-side hosts, any IP address)
Effect: LAN-LAN and LAN-WAN connections are allowed. Local hosts
can connect with each other and local hosts can connect to the Internet.

According to the manual, rules are defined top-down as highest to lowest
priority. Well, that would mean the Deny rule would prevent any
LAN-side host from connecting to the router, especially to open its web
page to do configuration. Default rule 1 blocks any LAN-LAN connections
for the local hosts of which the router is one, yet I know I can connect
to the router. Maybe the router excludes itself from the firewall
rules, and which would make it impossible to really know the priority
ordering of these rules (until I get another host).

Rule 1 = denies LAN-LAN and WAN-LAN connections.
Rule 2 = allows LAN-LAN and LAN-WAN connections.

If the priority is top-down from highest to lowest, the "deny LAN-LAN"
in rule 1 overrides the "allow LAN-LAN" in rule 2, and effectively you
end up with only "allow LAN-WAN". With "deny LAN-LAN" in rule 1 as
highest priority, none of your local hosts can talk to each other. Why
would default rule 2 even bother to allow LAN-LAN connections if they
were going to get denied by default rule 1? Is the default behavior of
[this] NAT router to isolate the local hosts from each other?

If the priority was top-down from lowest to highest, the "allow LAN-LAN"
in rule 2 overrides the "deny LAN-LAN" in rule 1, and effectively you
get both "allow LAN-LAN" and "LAN-WAN" connections. Your local hosts
can talk to each other and they can connect to the Internet. But why
bother to deny LAN-LAN connections in rule 1 if they are going to get
allowed in rule 2? Wouldn't this be the expected behavior of a NAT
router so your intranetwork of local hosts can talk to each other? I
would've thought the default behavior was that you slide in the router
and all your local hosts can communicate with each other just like if
you had used a switch or hub instead of a router. This would mean the
manual is wrong and the real order of priority is from lowest to highest
in top-down order of the list.

Since these default rules are always forced to be at the bottom of the
rules list, I really am not sure about the priority for the user-defined
rules. Could be the default rules really are at the bottom of the list
in regards to their priority. Could be they get exercised before the
user-defined rules (so they are effectively at the top of the list and
are just shown at the bottom).

For anyone using the DLink DI-604 NAT router and who has more than one
host on their intranetwork, can you test using only the default rules
(or temporarily disabling your other user-defined rules so only the two
default rules are enabled) to see if your hosts will communicate or not?
I need to know because I will be defining some user-defined firewall
rules and I really need to know the actualy priority order for them in
the list. Thanks in advance.

--
____________________________________________________________
*** Post replies to newsgroup. Share with others.
*** Email: domain = ".com" and append "=news=" to Subject.
____________________________________________________________

 

[*Vanguard*]

"Richard G. Harper" said in news:[email protected]:

I think you're confusing "priority" with "exclusivity". The first
rule is indeed taking priority and saying, "block all traffic". But
the second rule then modifies the first by creating a hole where
traffic from the LAN is permitted to pass through. Each rule is
applied to the router in the order specified so that lower
instructions may modify the earlier ones to allow limited exceptions.

Like you said, it seems like a later rule will override the conditions
established by prior rules. That's why I think the manual is wrong and
real priority is lowest to highest in top-down order. As you said, the
second rule modifies, or overrides, conditions set forth in a prior
rule. That sure seems to be priority to me (with the 2nd rule having
greater priority than the first rule). Exclusivity would be with the
rules having a stop clause that would short-circuit the OR'ing of the
rules: once a rule got triggered then subsequent rules do not get
exercised (you stop, or short-circuit, the OR when the first condition
gets triggered).

Do you have a router with similar rules and also have more than one host
to make sure the default behavior is to allow communication between the
local hosts? This is what was my expectation of the router. As such,
the rules would have to get exercised, like you say, with later rules
overriding the conditions established by the prior rules. However, if
that were true how would you block access to, say, an Internet site in
your own rule if the later default rule overrides it?

Say you have a rule that blocks LAN-WAN connections for all protocols to
a WAN-side host with IP address 216.73.92.112. You never want any of
your local hosts to connect to that site. So you define the rule:

Name: Block Doubleclick.com
Action = DENY
Source = LAN,* (any local host, any port)
Destination = WAN,216.73.92.112 (wwww.doublick.com)
Protocols = *,* (all of them, any port)

Supposedly this would prevent any of your local hosts from getting to
doubleclick.com. That is a user-defined rule so it gets forced into the
displayed rules list *before* the following default rule:

Name: Default Rule #2
Action = ALLOW
Source = LAN,* (all LAN-side hosts, any IP address)
Destination = *,* (all LAN- and WAN-side hosts, any IP address)
Protocols = *,*

This lets any local host connect to any Internet site. So if a later
rule punches a hole in the conditions set forth in prior rules then this
last "allow" rule obviates the user-defined site-specific "block" rule.
Nothing you could define would block your local hosts from connecting to
any Internet site. As you said, it is NOT likely that the rules are
exclusive but instead get OR'ed. First I block LAN-WAN traffic to IP
address 216.73.92.112 but then the later default rule unblocks *all*
LAN-WAN traffic to *any* IP address. That means my block rule would
never get honored.

What I suspect is:

- Priority is really lowest to highest in top-down order of the list.
That means subsequent rules can override conditions established in prior
rules which is the same as you believe.
- The default rules are really at the top of the list although they are
displayed at the bottom. This allows all local hosts to connect to any
Internet site *unless* you define a subsequent rule to block the access.
- The router excludes itself from any "deny LAN-LAN" rule.

I have written to DLink but am still waiting for a reply. From prior
correspondence with them, their response was not very helpful. Hell, it
wasn't even on topic but more of a canned response.

 

[Richard G. Harper]

I'm not sure how else to describe it except as I did previously. I think
you're simply expecting the wrong behaviour from a rule just because it's
described as having "priority". That doesn't mean priority in establishing
or modifying the baseline condition, but priority in when it's executed.

For example, let's assume you tell your three-year old, "Never cross any
street unless a parent is with you." But obviously that rule is too
restrictive, so you add further conditions like "Never cross any street
unless there is a trusted adult present". If given in that order the rules
make perfect sense and you get the expected behaviour. But if you change
the order of the rules you create confusion - "Never cross any street unless
a trusted adult is present", but "Never cross any street unless a parent is
with you" results in behaviour you don't expect.