NOTE: Opening holes in your firewall can compromise your LAN's security if done incorrectly.

(You may want to refer to the Access Controls Management Interface page as you read this section. NOTE that the SOHO does not have the DMZ function, so you won't see the DMZ checkboxes.)

The SOHO's access controls manage the flow of traffic (data) through its firewall and are based on Services and Rules:  

• Each Service is a Name / single Port Number / Protocol association.  
  For example, the HTTP (Webserver) rule is defined as Port 80, with the TCP Protocol.  
  The SOHO comes with common Services such as HTTP, FTP, DNS, POP3, SMTP, etc. already defined and you can add your own services up to a total of 128 Services.
  
  

• Each Rule contains an Action (Allow or Deny), Source IP address, Destination IP address, and IP protocol to decide if the IP traffic is allowed to pass through the firewall.

The Default rules that come with the router ALLOW all traffic to pass from LAN to WAN and DENY all traffic to pass from WAN to LAN.  The Help page that can be accessed from the Access page does a good job of explaining the process and mechanics of establishing new rules.  Once you have defined Services, you can set up new rules on either the Services page or Rules page.  The Services page method may be more familiar to users of inexpensive routers; the Rules page method may be more familiar to users accustomed to dealing with professional level firewall products.  Note that you can't modify or disable the stateful packet inspection features of the firewall, so you're always protected against Denial of Service (DoS) attacks and port scans.  But since custom (user defined) Rules take precedence over stateful packet inspection, you can weaken the firewall by Rules that open too many ports or ports used by applications such as Back Orifice. 

Other Access features are a checkbox that will allow Microsoft Networking (NetBIOS) traffic flow from LAN to WAN, and a "stealth" mode that will cause inbound packets to be dropped instead of the firewall responding with a message that the port is closed (this is NOT enabled by default).  You can also change the outbound connection timeout from its default of 5 minutes.

User privileges are a little tricky to understand, so let's start with the easy stuff first. Any Access controls you define apply to all users, both LAN and WAN based, by default.  You can define up to 100 users with privileged access rights, with two privileges available:

1. Unrestricted access to the LAN from a remote location on the Internet 
2. Unrestricted access to the Internet from the LAN (bypassing Web, News, Java, and ActiveX blocking) 

The first privilege is available only if you are not using NAT, i.e. are just using the firewall features of the SOHO and have routable IP addresses assigned to all your LAN machines.  The second feature is available no matter what mode you're using and allows selected users to bypass any filtering that you establish.

The last Access feature is control of the Management interface.  The default is control from LAN only, and you can choose to enable control from the LAN and WAN, or from SonicWall's Global Management System.  The WAN Management Access is fully encrypted via IPsec and you must install a VPN client (downloadable from the Sonicwall Web site) on whatever computers that you will use to manage the SOHO remotely.  You won't get that kind of remote management security from the cheaper routers!

That's pretty much it for how to control WHO has access to your LAN.  Now let's see how you can control WHAT they can look at!