Using Network Access Policy Rules 159When evaluating rules, the Firewall uses the following criteria: A rule defining a specific service is more specific than the default rule. A defined Ethernet link, such as LAN, WAN, or DMZ, is more specificthan * (all). A single IP address is more specific than an IP address range.Rules are listed in the Web interface from most specific to the leastspecific, and rules at the top override rules listed below.Examples of NetworkAccess PoliciesThe following examples illustrate methods for creating Network AccessPolicy Rules.Blocking LAN Access to Specific ProtocolsThis example shows how to block all LAN access to NNTP servers on theInternet.1 For the Action, choose Deny.2 From the Service list, choose NNTP.If the service is not listed in the menu, add it in the Add Service window.3 Select LAN from the Source Ethernet list.4 Since all computers on the LAN are to be affected, enter * in the SourceAddr. Range Begin box.5 Select WAN from the Destination Ethernet menu.6 Since the intent is to block access to all NNTP servers, enter * in theDestination Addr. Range Begin box.7 Click Add Rule.Block Access to Specific UsersThis example shows how to create a rule which blocks a certain range ofcomputers, such as a competitor, from accessing the public Web serveron the LAN or DMZ.1 For the Action, choose Deny.2 From the Service list, choose HTTP.3 Select WAN from the Source Ethernet list.DUA1611-0AAA02.book Page 159 Thursday, August 2, 2001 4:01 PM