About Smoothwall Firewall rules

The Smoothwall Firewall rules are organized into sections. You can create rules in the current section or create a new section. You can add a rule to the top or bottom of the section if it already contains other rules. The Smoothwall Firewall applies rules from top to bottom so that the logic of the top rule supersedes the one below it.

On initial setup, the Smoothwall Firewall contains two default rules. The first default rule allows access to everything from the internal network to the Internet. The second default rule, in the catch-all section, blocks all traffic in and out so that anything not specified in the rules placed before it, is blocked.

For example, you would use the first rule in an office environment, where all the users are responsible for the material that they upload and the apps they use. This rule wouldn't block tools such as UltraSurf or VPNs, which could be used to bypass the Smoothwall Firewall and connect directly to the Internet.

Within a school or environment where it's necessary to protect children or vulnerable people, it's common to set up rules to allow specific services or applications access to the Internet and then change the default rule to block all other outbound traffic. If you have Smoothwall Filter, blocking all traffic in this way will only allow traffic through the Filter or any specific rules you've added.

Smoothwall versions prior to the Inverness Castle release will also have several migrated Smoothwall Firewall rules in the Migrated outgoing policy rules section. These are specific to your organization.

Routing Access Control Lists (ACLs)

ACLs allow traffic to be routed between networks. All internal networks are isolated by the Smoothwall Firewall by default. You can create access control policies to control communication between networks, for the purpose of resource sharing, for example, within a corporate environment, you might want to isolate departmental networks from each other, but allow access to printers in one.

Reply packets within the same connection are handled by the same rule. If communication between networks is meant to be allowed both ways, add both source and destination interface/IP addresses to Source and destination interfaces or IP addresses sections.

For example:

  • Source interface LAN1 - destination interface LAN2 - Traffic can go from LAN1 to LAN2 and replies will be allowed back. But LAN2 cannot send traffic into LAN1.
  • Source interface LAN1 and LAN2 - destination interface LAN2 and LAN1 - The Smoothwall Firewall acts as a router between LAN1 and LAN2 - traffic is allowed both ways.

User group membership

In addition to creating access control rules based on interface or IP addresses, you can also create rules based on user group membership. Rules that are created based on group membership are dynamic and the user needs to sign in to the Smoothwall Firewall, either by authenticating to the Smoothwall Filter or by other means before they take effect.