Building a rule set is not difficult, but it is necessary to focus on the details, as some rules can be complex. The most important aspect of a firewall rule set is its order. Getting rules out of order causes unexpected and unwanted consequences. This can include traffic you want to block and other unwanted traffic crossing the checkpoint. Rule-set ordering is critical to the successful operation of firewall security.

When the wrong rule is positioned first, this creates a potential loophole. A loophole is a flaw in the logic of filtering that will allow an unwanted action to occur. A firewall can perform only the operations for which it is programmed, and the specifics of and the order of the rules are a form of programming. Take the time to evaluate, test, and verify that you have defined all firewall rules correctly and placed each in the best order.

The first and most basic rule-set-ordering convention is that the universal Deny rule should be the last and final rule. The use of deny by default or default denial rests on the premise that the last rule is the catchall rule to block all traffic not allowed access due to a previous rule-based exception.

Another common guideline to rule-set ordering is to place critical Deny exceptions first or early in the rule set. When specific internal or external IP addresses or ports, or even entire protocols, are to be absolutely blocked, you may need a Deny exception rather than relying upon the default-deny final rule. Some of the previous Allow exceptions might inadvertently permit communications due to universal application (with the use of ANY). By using a preemptive specific enforced denial before any of the Allow exceptions, you eliminate the possibility of accidentally allowing a known malicious or unwanted communication.

Whenever possible, use fewer rules rather than more rules. Even with proper ordering, the more rules you have, the greater the likelihood of configuring something incorrectly or creating a loophole. One issue that causes more rules rather than fewer is infrastructure design specifically related to addressing. A need for more rules arises if a range of IP addresses is allowed access, but within that range, some addresses are refused access. For example, compare two scenarios.

First, a network has a host address range of 192.168.42.140–190. All hosts except for 188, 189, and 190 are allowed access to a certain port. A single rule allowing hosts 140–187 is all that is necessary because the default-deny rule takes care of blocking the remaining nonincluded hosts.

Second, a network has a host address range of 192.168.42.140–190. All hosts except for 165, 171, and 188 are allowed access to a certain port. You need multiple rules to use this configuration. One or more rules must define Deny exceptions for 165, 171, and 188, followed by the Allow rule of the 140–190 range. If the firewall allows only a single address or a range of addresses per rule rather than allowing a list of nonsequential addresses, then three Deny rules would be necessary in this scenario.

In this example, network design and addressing can be used to make firewall rule-set construction either larger and more complex or shorter and more distinct and compact. The latter is preferred for administrative purposes, as well as security and efficiency. If the process of creating rules requires a significant number of special exceptions to modify or adjust ranges of addresses or ports, consider reconfiguring the network rather than using a too complex or too long rule set. When designing or writing firewall rules, especially when writing pairs or sets of rules, consider using a single rule or a simpler rule set if the network’s addressing scheme, infrastructure design, or subnet layout is adjusted.

As another guideline to ordering rule sets, consider placing rules related to more common traffic earlier in the set rather than later. Comparing traffic to the rule sets takes time; each check of each rule takes some finite amount of time. The fewer rules it needs to check before granting an Allow, the less delay to the traffic stream. Prioritize in the rule-set list the more commonly used forms of traffic, whether by IP address, port, or protocol. Put the less commonly used forms of traffic further down in the rule-set list.

As rule sets get larger, each becomes more complex. Often, the complexity stems from having explicit Allow rules with additional Deny specifications. This results in rules that overlap. Overlapping is acceptable when you understand it and use it on purpose. When overlapping occurs accidentally, it can result in undesired loopholes. Again, the solution is to keep the rule set as simple as possible, document every rule with the intentions, and test the rule thoroughly before deployment.

Ultimately, rule sets are about enforcing security relevant to the organization. The rule set should reflect the guidelines prescribed in your written security policy, specifically the firewall policy. The goal of designing, writing, and ordering rules for a firewall should be to focus on obtaining the necessary security. Elegance and speed are dividends, but not as essential as blocking the bad and allowing the good traffic. Never lose focus on the primary goal: filtering traffic in accordance with your security policy.