A Deny firewall rule terminates matching network sessions by replying TCP-RST for TCP requests, ICMP Port Unreachable for UDP requests or ICMP Denied by Filter for other IP protocols. Because the remote host receives a reply, it knows that your system is up and running and protected by a firewall.
Create a Deny Firewall Rule
- Open the Forwarding Rules page (Config > Full Config > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules ).
- Click Lock.
- Either click the plus icon (+) in the top right of the rule set, or right-click the rule set and select New > Rule.
- Select Deny as the action.
- Enter a Name for the rule. For example,
- Specify the following settings that must be matched by the traffic to be handled by the firewall rule:
- Source – The source addresses.
- Destination – The destination addresses of the traffic.
- Service – Select a service object, or select Any for this rule to match for all services.
- Click OK.
- Drag and drop the firewall rule so that it is the first rule that matches the traffic that you want it to deny. Ensure that the rule is located above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
- Click Send Changes and Activate.
Additional Matching Criteria
- Authenticated User – For more information, see User Objects.
- Time Objects – For more information, see Time Objects.