Access Control Lists - CompTIA Network+ N10-007 Prof Messer





  • Is there a way to deny all incoming traffic to your firewall?



  • You set the default action for the traffic to be dropped.

    This is actually typical. Here is my setup. WAN_IN is just a descriptive name, meaning traffic hitting the WAN port and destined for something on the internal LAN. This is your normal return traffic.

    set firewall name WAN_IN default-action drop
    set firewall name WAN_IN description 'WAN to internal'
    

    Then you set specific allow rules for the traffic you want.

    For example, if you do not allow the return leg of established outbound traffic, nothing will work because the firewall blocked everything coming back.

    set firewall name WAN_IN rule 10 action accept
    set firewall name WAN_IN rule 10 description 'Allow established/related'
    set firewall name WAN_IN rule 10 state established enable
    set firewall name WAN_IN rule 10 state related enable
    


  • @mary said in Access Control Lists - CompTIA Network+ N10-007 Prof Messer:

    Is there a way to deny all incoming traffic to your firewall?

    Sure. But if you think about it, you'd absolutely never want this. This would be the same as disconnecting the network. If you wanted to do this, you would simply unplug the network instead (as that is more reliable.) The only reason to truly "deny all" is to go offline. And if you want to be offline you logically want it to be really reliable and since you'd want no traffic to make it no matter what in that situation, pulling the plug is the better choice 99.99% of the time.