If you’re planning to take the CompTIA Security+ exam and want to know about Firewall rule components, this blog post and video is for you.
Several people have asked me how to create a firewall rule. I’ve explained them in the CompTIA Security+Get Certified Get Ahead Study Guide and in blog articles. I’ve even created some performance-based questions on the premium site to help people see how they might be tested.
Still, some people learn better with a video so here it is.
Example Firewall Rule
As an example, imagine you needed to allow HTTPS traffic from the Marketing server to Web Server 2. You would need to create a firewall rule with the appropriate components.
Firewall Rule Components
The components of a firewall rule are:
- Permission (Allow or Deny)
- Protocol (TCP, UDP, IP, Any)
- Destination port (Know the ports from Table 3.1 in Study Guide)
- Source IP
- Destination IP
The permission is almost always allow. The last rule in the firewall will be an implicit deny rule. This blocks all traffic that wasn’t previously allowed.
HTTP traffic uses TCP port 443 so the protocol is TCP and the destination port is 443.
Pass the Security+ exam the first time!
CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide
At this point, we know the following elements.
- Permission Allow
- Protocol TCP
- Destination port 443
Next, you’ll need to identify the source IP address.
CIDR Notation in a Firewall Rule
The marketing computer has an IP address of 10.4.80.10.
You can see that it has a CIDR notation of /23. This indicates a subnet mask of 255.255.254.0, but don’t let that distract you.
That refers to the subnet where the marketing computer is located.
When you create a rule for a single computer, you use /32 as the CIDR notation.
A /32 CIDR notation indicates the subnet mask is 255.255.255.255, but /32 is a lot easier to say.
So, the source IP address for our rule is 10.4.80.10 /32.
- Permission Allow
- Protocol TCP
- Destination port 443
- Source IP 10.4.80.10 /32
- Destination IP
Next, we need the destination IP.
The Web server 2 IP address is 10.4.81.5. The CIDR notation is /24, indicating a subnet mask of 255.255.255.0.
However, we want to create a rule for the single computer, not the subnet so we use a CIDR notation of /32, short for 255.255.255.255. At this point, you know all the components of the firewall rule.
- Permission Allow
- Protocol TCP
- Destination port 443
- Source IP 10.4.80.10 /32
- Destination IP 10.40.81.5 /32
Looking at the Firewall Rule
Here’s another way of looking at the components of the rule. It matches the words of the rule with the actual components of the rule.
Different firewalls have different interfaces and syntax so there isn’t a standard way of entering this information. However, if you understand the components of the rule, you can plug the data into the interface.
Tesing Your Knowledge of a Firewall Rule
Similarly, if you understand the components of the rule, you can answer Security+ test questions no matter how they are asked. This includes:
- Basic multiple choice questions such as “What port would you open to allow HTTPS traffic?”
- Fill in the blank questions that ask you to type in the elements of the rule.
- Questions with drop-down menus that ask you to select the appropriate elements of the rule.
- Drag and drop questions similar to questions available on the Get Certified Get Ahead premium site. You can see a demo of drag and drop questions here.
You can also watch this video to see a Firewall Rule question demonstrated here:
Thanks for your prompt response and for clarifying the solution! Again, great site and content.
> For the rule, why would we default to /32 and not simply restrict the
> rule to the network of the Marketing computer, /23?
Because the requirement is to “allow HTTPS traffic from the Marketing server” to Web Server 2, not from all computers in the network to the web server.
If your boss asks you to “Please invite Lisa from the marketing department to join me for lunch,” he would likely be a little disappointed if you invited all employees from the marketing department to join him.
> Is using /32 for a single computer a standard practice?
It’s used on some firewalls. While some firewalls only use the IP address and not the subnet mask, if it requires the subnet mask, you need to know the correct one to use.
A better question might be
“Should I know that /32 can be used to identify a single computer in a firewall rule if I’m preparing for the Security+ exam?”
Yes.
For the rule, why would we default to /32 and not simply restrict the rule to the network of the Marketing computer, /23? Is using /32 for a single computer a standard practice?
Thanks, you have a great site!