DLink DI-604 - What is the real priority order of its firewall rules?

When you first get the DI-604 router, or after resetting it, the
following 2 firewall rules are defined:

_Default Rule 1: (highest priority)_
Action = Deny
Name = Default
Source = *,* (all LAN- and WAN-side hosts, any IP address)
Destination = LAN,* (all LAN-side hosts, any IP address)
Protocol = IP (0), * (TCP, UDP, ICMP on all ports)
Effect: LAN-LAN and WAN-LAN connections are denied. No local host
can get to another local host and no external host can get to a local
host.

_Default Rule 2: (lowest priority)_
Action = Allow
Name = Default
Source = LAN,* (all LAN-side hosts, any IP address)
Destination = *,* (all LAN- and WAN-side hosts, any IP address)
Effect: LAN-LAN and LAN-WAN connections are allowed. Local hosts
can connect with each other and local hosts can connect to the Internet.

According to the manual, rules are defined top-down as highest to lowest
priority. Well, that would mean the Deny rule would prevent any
LAN-side host from connecting to the router, especially to open its web
page to do configuration. Default rule 1 blocks any LAN-LAN connections
for the local hosts of which the router is one, yet I know I can connect
to the router. Maybe the router excludes itself from the firewall
rules, and which would make it impossible to really know the priority
ordering of these rules (until I get another host).

Rule 1 = denies LAN-LAN and WAN-LAN connections.
Rule 2 = allows LAN-LAN and LAN-WAN connections.

If the priority is top-down from highest to lowest, the "deny LAN-LAN"
in rule 1 overrides the "allow LAN-LAN" in rule 2, and effectively you
end up with only "allow LAN-WAN". With "deny LAN-LAN" in rule 1 as
highest priority, none of your local hosts can talk to each other. Why
would default rule 2 even bother to allow LAN-LAN connections if they
were going to get denied by default rule 1? Is the default behavior of
[this] NAT router to isolate the local hosts from each other?

If the priority was top-down from lowest to highest, the "allow LAN-LAN"
in rule 2 overrides the "deny LAN-LAN" in rule 1, and effectively you
get both "allow LAN-LAN" and "LAN-WAN" connections. Your local hosts
can talk to each other and they can connect to the Internet. But why
bother to deny LAN-LAN connections in rule 1 if they are going to get
allowed in rule 2? Wouldn't this be the expected behavior of a NAT
router so your intranetwork of local hosts can talk to each other? I
would've thought the default behavior was that you slide in the router
and all your local hosts can communicate with each other just like if
you had used a switch or hub instead of a router. This would mean the
manual is wrong and the real order of priority is from lowest to highest
in top-down order of the list.

Since these default rules are always forced to be at the bottom of the
rules list, I really am not sure about the priority for the user-defined
rules. Could be the default rules really are at the bottom of the list
in regards to their priority. Could be they get exercised before the
user-defined rules (so they are effectively at the top of the list and
are just shown at the bottom).

For anyone using the DLink DI-604 NAT router and who has more than one
host on their intranetwork, can you test using only the default rules
(or temporarily disabling your other user-defined rules so only the two
default rules are enabled) to see if your hosts will communicate or not?
I need to know because I will be defining some user-defined firewall
rules and I really need to know the actualy priority order for them in
the list. Thanks in advance.


--
__________________________________________________ __________
*** Post replies to newsgroup. Share with others.
*** Email: domain = ".com" and append "=news=" to Subject.
__________________________________________________ __________

*Vanguard* wrote:

> When you first get the DI-604 router, or after resetting it, the
> following 2 firewall rules are defined:
>
> _Default Rule 1: (highest priority)_
> Action = Deny
> Name = Default
> Source = *,* (all LAN- and WAN-side hosts, any IP address)
> Destination = LAN,* (all LAN-side hosts, any IP address)
> Protocol = IP (0), * (TCP, UDP, ICMP on all ports)
> Effect: LAN-LAN and WAN-LAN connections are denied. No local host
> can get to another local host and no external host can get to a local
> host.
>
> _Default Rule 2: (lowest priority)_
> Action = Allow
> Name = Default
> Source = LAN,* (all LAN-side hosts, any IP address)
> Destination = *,* (all LAN- and WAN-side hosts, any IP address)
> Effect: LAN-LAN and LAN-WAN connections are allowed. Local hosts
> can connect with each other and local hosts can connect to the
> Internet.
>
> According to the manual, rules are defined top-down as highest to
> lowest priority. Well, that would mean the Deny rule would prevent
> any LAN-side host from connecting to the router, especially to open
> its web page to do configuration. Default rule 1 blocks any LAN-LAN
> connections for the local hosts of which the router is one, yet I
> know I can connect to the router. Maybe the router excludes itself
> from the firewall rules, and which would make it impossible to really
> know the priority ordering of these rules (until I get another host).
>
> Rule 1 = denies LAN-LAN and WAN-LAN connections.
> Rule 2 = allows LAN-LAN and LAN-WAN connections.
>
> If the priority is top-down from highest to lowest, the "deny LAN-LAN"
> in rule 1 overrides the "allow LAN-LAN" in rule 2, and effectively you
> end up with only "allow LAN-WAN". With "deny LAN-LAN" in rule 1 as
> highest priority, none of your local hosts can talk to each other.
> Why would default rule 2 even bother to allow LAN-LAN connections if
> they were going to get denied by default rule 1? Is the default
> behavior of [this] NAT router to isolate the local hosts from each
> other?
>
> If the priority was top-down from lowest to highest, the "allow
> LAN-LAN" in rule 2 overrides the "deny LAN-LAN" in rule 1, and
> effectively you get both "allow LAN-LAN" and "LAN-WAN" connections.
> Your local hosts can talk to each other and they can connect to the
> Internet. But why bother to deny LAN-LAN connections in rule 1 if
> they are going to get allowed in rule 2? Wouldn't this be the
> expected behavior of a NAT router so your intranetwork of local hosts
> can talk to each other? I would've thought the default behavior was
> that you slide in the router and all your local hosts can communicate
> with each other just like if you had used a switch or hub instead of
> a router. This would mean the manual is wrong and the real order of
> priority is from lowest to highest in top-down order of the list.
>
> Since these default rules are always forced to be at the bottom of the
> rules list, I really am not sure about the priority for the
> user-defined rules. Could be the default rules really are at the
> bottom of the list in regards to their priority. Could be they get
> exercised before the user-defined rules (so they are effectively at
> the top of the list and are just shown at the bottom).
>
> For anyone using the DLink DI-604 NAT router and who has more than one
> host on their intranetwork, can you test using only the default rules
> (or temporarily disabling your other user-defined rules so only the
> two default rules are enabled) to see if your hosts will communicate
> or not? I need to know because I will be defining some user-defined
> firewall rules and I really need to know the actualy priority order
> for them in the list. Thanks in advance.

Couldn't you have stated your problem a little more succinctly?

Having given up trying to read your all of your post, I would think you
shoud be getting your answers form DLink.

http://support.dlink.com/

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei!"

"kurttrail" said in news:(E-Mail Removed):
>
> Couldn't you have stated your problem a little more succinctly?
>
> Having given up trying to read your all of your post, I would think
> you shoud be getting your answers form DLink.
>
> http://support.dlink.com/


The best way to not help is to not answer.

You might have more luck at this forum:

http://www.broadbandreports.com/forum/dlink



*Vanguard* wrote:
>> When you first get the DI-604 router, or after resetting it, the
>> following 2 firewall rules are defined:
>>
>> _Default Rule 1: (highest priority)_
>> Action = Deny
>> Name = Default
>> Source = *,* (all LAN- and WAN-side hosts, any IP address)
>> Destination = LAN,* (all LAN-side hosts, any IP address)
>> Protocol = IP (0), * (TCP, UDP, ICMP on all ports)
>> Effect: LAN-LAN and WAN-LAN connections are denied. No local
>> host can get to another local host and no external host can get to a
>> local host.
>>
>> _Default Rule 2: (lowest priority)_
>> Action = Allow
>> Name = Default
>> Source = LAN,* (all LAN-side hosts, any IP address)
>> Destination = *,* (all LAN- and WAN-side hosts, any IP address)
>> Effect: LAN-LAN and LAN-WAN connections are allowed. Local hosts
>> can connect with each other and local hosts can connect to the
>> Internet.
>>
>> According to the manual, rules are defined top-down as highest to
>> lowest priority. Well, that would mean the Deny rule would prevent
>> any LAN-side host from connecting to the router, especially to open
>> its web page to do configuration. Default rule 1 blocks any LAN-LAN
>> connections for the local hosts of which the router is one, yet I
>> know I can connect to the router. Maybe the router excludes itself
>> from the firewall rules, and which would make it impossible to
>> really know the priority ordering of these rules (until I get
>> another host).
>>
>> Rule 1 = denies LAN-LAN and WAN-LAN connections.
>> Rule 2 = allows LAN-LAN and LAN-WAN connections.
>>
>> If the priority is top-down from highest to lowest, the "deny
>> LAN-LAN" in rule 1 overrides the "allow LAN-LAN" in rule 2, and
>> effectively you end up with only "allow LAN-WAN". With "deny
>> LAN-LAN" in rule 1 as highest priority, none of your local hosts can
>> talk to each other. Why would default rule 2 even bother to allow
>> LAN-LAN connections if they were going to get denied by default rule
>> 1? Is the default behavior of [this] NAT router to isolate the
>> local hosts from each other?
>>
>> If the priority was top-down from lowest to highest, the "allow
>> LAN-LAN" in rule 2 overrides the "deny LAN-LAN" in rule 1, and
>> effectively you get both "allow LAN-LAN" and "LAN-WAN" connections.
>> Your local hosts can talk to each other and they can connect to the
>> Internet. But why bother to deny LAN-LAN connections in rule 1 if
>> they are going to get allowed in rule 2? Wouldn't this be the
>> expected behavior of a NAT router so your intranetwork of local
>> hosts can talk to each other? I would've thought the default
>> behavior was that you slide in the router and all your local hosts
>> can communicate with each other just like if you had used a switch
>> or hub instead of a router. This would mean the manual is wrong and
>> the real order of priority is from lowest to highest in top-down
>> order of the list.
>>
>> Since these default rules are always forced to be at the bottom of
>> the rules list, I really am not sure about the priority for the
>> user-defined rules. Could be the default rules really are at the
>> bottom of the list in regards to their priority. Could be they get
>> exercised before the user-defined rules (so they are effectively at
>> the top of the list and are just shown at the bottom).
>>
>> For anyone using the DLink DI-604 NAT router and who has more than
>> one host on their intranetwork, can you test using only the default
>> rules (or temporarily disabling your other user-defined rules so
>> only the two default rules are enabled) to see if your hosts will
>> communicate or not? I need to know because I will be defining some
>> user-defined firewall rules and I really need to know the actualy
>> priority order for them in the list. Thanks in advance.
>>
>>
>> --
>> __________________________________________________ __________
>> *** Post replies to newsgroup. Share with others.
>> *** Email: domain = ".com" and append "=news=" to Subject.
>> __________________________________________________ __________

"Bruiser" said in news:(E-Mail Removed):
> You might have more luck at this forum:
>
> http://www.broadbandreports.com/forum/dlink

Been there before. No answers. Ended up coming back to the newsgroups.
Will try again. Thanks for the reminder.

--
__________________________________________________ __________
*** Post replies to newsgroup. Share with others.
*** Email: domain = ".com" and append "=news=" to Subject.
__________________________________________________ __________

This is just a misinterpretation on your part. The rules, as described, are
exactly correct. The ALLOW rule is lower priority because it is LESS
restrictive (it's an ALLOW afterall!), while the DENY rule is MORE
restrictive, and must take precedence.

Think of it this way, if I setup a "roadblock" that ALLOWS red, blue, and
green cars through, and I want to restrict the road even further, let's say
only red and blue cars are now allowed, I setup another roadblock *before*
it that's MORE restrictive (specifically, DENIES green cars), or in firewall
terms, higher priority. If I didn't, the less restrictive roadblock that
follows (lower priority) isn't going to stop them, right?!

In the real world, of course, we'd simply change the one roadblock to allow
only red and blue cars. But in the world of computers and programming, we
"stack" rules due to the limitations of programming, but it accomplishes the
same thing.

That's the problem, you're almost over analyzing it, and thus confusing
yourself. Think of the roadblock analogy, it will make more sense. Use of
the term priority is also confusing, it's really better thought of as more
or less restrictive. The higher in that list (higher the priority), the
more restrictive it should be.

HTH

Jim


"*Vanguard*" <no-(E-Mail Removed)> wrote in message
news:B66dnZBCep89HuLdRVn-(E-Mail Removed)...
> When you first get the DI-604 router, or after resetting it, the
> following 2 firewall rules are defined:
>
> _Default Rule 1: (highest priority)_
> Action = Deny
> Name = Default
> Source = *,* (all LAN- and WAN-side hosts, any IP address)
> Destination = LAN,* (all LAN-side hosts, any IP address)
> Protocol = IP (0), * (TCP, UDP, ICMP on all ports)
> Effect: LAN-LAN and WAN-LAN connections are denied. No local host
> can get to another local host and no external host can get to a local
> host.
>
> _Default Rule 2: (lowest priority)_
> Action = Allow
> Name = Default
> Source = LAN,* (all LAN-side hosts, any IP address)
> Destination = *,* (all LAN- and WAN-side hosts, any IP address)
> Effect: LAN-LAN and LAN-WAN connections are allowed. Local hosts
> can connect with each other and local hosts can connect to the Internet.
>
> According to the manual, rules are defined top-down as highest to lowest
> priority. Well, that would mean the Deny rule would prevent any
> LAN-side host from connecting to the router, especially to open its web
> page to do configuration. Default rule 1 blocks any LAN-LAN connections
> for the local hosts of which the router is one, yet I know I can connect
> to the router. Maybe the router excludes itself from the firewall
> rules, and which would make it impossible to really know the priority
> ordering of these rules (until I get another host).
>
> Rule 1 = denies LAN-LAN and WAN-LAN connections.
> Rule 2 = allows LAN-LAN and LAN-WAN connections.
>
> If the priority is top-down from highest to lowest, the "deny LAN-LAN"
> in rule 1 overrides the "allow LAN-LAN" in rule 2, and effectively you
> end up with only "allow LAN-WAN". With "deny LAN-LAN" in rule 1 as
> highest priority, none of your local hosts can talk to each other. Why
> would default rule 2 even bother to allow LAN-LAN connections if they
> were going to get denied by default rule 1? Is the default behavior of
> [this] NAT router to isolate the local hosts from each other?
>
> If the priority was top-down from lowest to highest, the "allow LAN-LAN"
> in rule 2 overrides the "deny LAN-LAN" in rule 1, and effectively you
> get both "allow LAN-LAN" and "LAN-WAN" connections. Your local hosts
> can talk to each other and they can connect to the Internet. But why
> bother to deny LAN-LAN connections in rule 1 if they are going to get
> allowed in rule 2? Wouldn't this be the expected behavior of a NAT
> router so your intranetwork of local hosts can talk to each other? I
> would've thought the default behavior was that you slide in the router
> and all your local hosts can communicate with each other just like if
> you had used a switch or hub instead of a router. This would mean the
> manual is wrong and the real order of priority is from lowest to highest
> in top-down order of the list.
>
> Since these default rules are always forced to be at the bottom of the
> rules list, I really am not sure about the priority for the user-defined
> rules. Could be the default rules really are at the bottom of the list
> in regards to their priority. Could be they get exercised before the
> user-defined rules (so they are effectively at the top of the list and
> are just shown at the bottom).
>
> For anyone using the DLink DI-604 NAT router and who has more than one
> host on their intranetwork, can you test using only the default rules
> (or temporarily disabling your other user-defined rules so only the two
> default rules are enabled) to see if your hosts will communicate or not?
> I need to know because I will be defining some user-defined firewall
> rules and I really need to know the actualy priority order for them in
> the list. Thanks in advance.
>
>
> --
> __________________________________________________ __________
> *** Post replies to newsgroup. Share with others.
> *** Email: domain = ".com" and append "=news=" to Subject.
> __________________________________________________ __________
>

*Vanguard* wrote:

> "kurttrail" said in news:(E-Mail Removed):
>>
>> Couldn't you have stated your problem a little more succinctly?
>>
>> Having given up trying to read your all of your post, I would think
>> you shoud be getting your answers form DLink.
>>
>> http://support.dlink.com/
>
>
> The best way to not help is to not answer.

But that wouldn't be as fun!

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei!"