Firewall Rule / ACL Generator

1. Policy Basics

Select the platform and the main action for the rule.

2. Identification

Define the rule's name, number, or chain.

3. Traffic Specifics

Define the protocol, source, and destination for the rule.

Source
Destination

Generated Command

Select options and click Generate...

A Guide to Firewall Rules and Access Control Lists (ACLs)

Simplify the creation of complex firewall rules with our universal ACL Generator. This tool is indispensable for network security professionals and administrators, allowing you to quickly generate the correct command syntax for Access Control Lists on a wide variety of platforms, including Cisco, Juniper, MikroTik, and Fortinet. Stop worrying about syntax errors and focus on implementing a robust security policy by defining traffic parameters and letting the tool do the work.

About the ACL & Firewall Rule Generator

An Access Control List (ACL) is a sequence of permit or deny rules that control which traffic is allowed or blocked on a network. They are one of the most fundamental building blocks of network security. However, the command syntax for creating these rules varies significantly between different network vendors. This tool acts as a universal translator, providing a single, intuitive interface to define a security rule. You specify the parameters—like the action, protocol, source, and destination—and the generator produces the precise, ready-to-use command syntax for your chosen platform. This saves time, reduces errors, and helps network professionals implement consistent security policies across multi-vendor environments.

How the Generator Works and How to Use It Effectively

The generator is designed to guide you through the process of building a rule, from general policy to specific traffic details.

Using the Generator: A Step-by-Step Guide

  1. Select Vendor and Action: Start by choosing your network equipment vendor (e.g., "Cisco IOS") from the dropdown. Then, select the primary action for your rule: 'Permit' to allow traffic or 'Deny' to block it.
  2. Define Identification: Fill in the vendor-specific identification fields. For Cisco, this would be the ACL Type (Standard/Extended) and Number. For Juniper, it would be the Filter and Term names. For MikroTik, you would select the appropriate Chain.
  3. Specify Traffic Specifics: This is where you define what traffic the rule will match.
    • Protocol: Choose the protocol, such as TCP, UDP, ICMP, or IP (which matches any protocol).
    • Source & Destination: Enter the source and destination IP addresses. You can use 'any' to match all addresses. For Cisco, you must also provide a wildcard mask; for other vendors, use standard CIDR notation (e.g., `10.1.1.0/24`).
    • Ports: If you selected TCP or UDP, you can specify source and destination ports to make the rule more specific (e.g., destination port 'eq 443' for HTTPS).
  4. Generate and Copy: Click the "Generate" button. The complete, syntactically correct command will appear in the results box, ready for you to copy and paste into your device's command-line interface.

The Fundamentals of Access Control Lists

ACLs are the gatekeepers of your network. They are a list of sequential rules that a router or firewall uses to inspect every packet that passes through an interface. Understanding their logic is critical for implementing effective security.

The Logic of ACL Processing

When a packet arrives at an interface with an ACL applied, the device processes it in a specific order:

  1. Top-Down Processing: The device checks the packet against the first rule in the ACL.
  2. First Match Wins: If the packet matches the criteria of the first rule, the device immediately executes the action (permit or deny) and stops processing the ACL for that packet.
  3. Sequential Checking: If there is no match, the device moves to the second rule in the list and repeats the check. This continues down the list.
  4. The Implicit Deny: If the packet reaches the end of the ACL without matching any of your custom rules, it is dropped. This is because nearly all ACL implementations have an invisible, unwritten rule at the end: `deny any`. This "deny by default" principle is a cornerstone of network security.
Rule Order is Critical

Because processing stops at the first match, the order of your ACL rules is extremely important. More specific rules must always be placed above more general rules. If you place a broad `permit any` rule at the top of your list, no deny rules below it will ever be checked.

Standard vs. Extended ACLs

In the context of router ACLs (particularly Cisco), there are two main types:

FeatureStandard ACLExtended ACL
Filtering Criteria Source IP Address only. Source IP, Destination IP, Protocol (TCP/UDP/ICMP), and Source/Destination Ports.
Cisco Number Range 1-99 and 1300-1999 100-199 and 2000-2699
Placement Best placed as close to the destination as possible. Best placed as close to the source as possible.
Use Case Simple filtering where you only need to block or allow an entire host or network. Complex, granular filtering needed for modern security policies (e.g., "Allow this server to access that server on the SQL port only").

Best Practices for ACL Management

  • Apply the Principle of Least Privilege: Only permit the traffic that is absolutely necessary for business functions. Deny everything else.
  • Be Specific: Make your rules as granular as possible. Instead of allowing all traffic from a host, specify the exact protocols and ports it needs to use.
  • Use Remarks/Descriptions: Always add comments to your ACLs explaining the purpose of each rule. This is invaluable for future troubleshooting and auditing.
  • Apply ACLs in the Correct Direction: Decide whether a rule should apply to traffic entering an interface (`in`) or leaving an interface (`out`). Applying it in the wrong direction can render it ineffective.
  • Test Before Deploying: Whenever possible, test your ACLs in a lab environment before applying them to a production network. A misconfigured ACL can easily block critical traffic or even lock you out of the device you are managing.
Professional Recommendation

While this tool helps generate the correct syntax, designing a comprehensive firewall policy requires a deep understanding of your network's traffic flows and security requirements. For any business, a network security professional should be responsible for designing, implementing, and regularly auditing firewall rules to ensure the organization remains secure.

Frequently Asked Questions about ACLs

What is a firewall ACL?

An ACL (Access Control List) is a set of rules used by routers and firewalls to filter network traffic. Each rule defines specific criteria (like source/destination IP, port, protocol) and an action (permit or deny) to be taken when a packet matches those criteria. ACLs are a fundamental tool for network security.

How do I use this ACL generator?

Select your vendor, choose the permit/deny action, fill in the identification (like ACL number), and then specify the traffic details (protocol, source IP, destination IP, and ports). Click 'Generate', and the tool will create the command for you.

What is the difference between a standard and an extended ACL?

A standard ACL (in Cisco terminology) can only filter based on the source IP address. An extended ACL is more powerful and can filter based on source IP, destination IP, protocol type (TCP, UDP), and port numbers.

What does 'permit' and 'deny' mean in an ACL?

'Permit' (or 'accept'/'allow') is an action that allows a packet matching the rule to pass through the firewall or router. 'Deny' (or 'drop'/'discard') is an action that silently drops the packet, preventing it from reaching its destination.

How are ACLs processed?

ACLs are processed sequentially from top to bottom. When a packet arrives, the device checks it against the first rule in the list. If it matches, the specified action (permit or deny) is taken, and no further rules are checked. If it doesn't match, the device moves to the next rule, and so on.

What is an implicit deny?

Most ACL implementations include an invisible, unwritten rule at the very end of the list called an 'implicit deny'. This rule denies all traffic that did not match any of the preceding permit rules. This means if you don't explicitly permit traffic, it will be blocked by default.

What is a wildcard mask and how is it used in ACLs?

A wildcard mask is used (primarily in Cisco ACLs) to specify which bits of an IP address must match the rule. It's the inverse of a subnet mask. A '0' means the bit must match, and a '1' is a 'don't care' bit. You can calculate these with our Wildcard Mask Calculator.

What is the best practice for placing ACLs?

A common best practice is to place extended ACLs as close as possible to the source of the traffic you want to filter. This prevents unwanted traffic from crossing your network unnecessarily. Standard ACLs, because they can't specify a destination, are typically placed as close to the destination as possible.

What does 'eq' mean in a Cisco ACL?

'eq' is a keyword that stands for 'equal'. It is used in extended ACLs to match a specific TCP or UDP port number. For example, 'eq 80' would match traffic destined for port 80 (HTTP).

Can I use hostnames in an ACL?

While some modern firewalls allow the use of FQDNs (Fully Qualified Domain Names) in rules, it is generally not recommended for router ACLs. Using hostnames requires the router to perform a DNS lookup for every packet, which can severely impact performance. It's always better to use static IP addresses.

What is a stateful firewall?

A stateful firewall tracks the state of active network connections. It allows return traffic for an established connection to pass back through automatically, without needing a separate rule to permit it. This is much more secure than stateless ACLs, which check every packet individually.

How do I block a single computer from accessing the network?

To block a single computer, you would create a deny rule specifying its source IP address. For example, in Cisco syntax: `access-list 101 deny ip host 192.168.1.50 any`. The `host` keyword is a shortcut for a wildcard mask of `0.0.0.0`.

How do I allow only web traffic?

To allow only standard web traffic (HTTP and HTTPS), you would create two permit rules for TCP ports 80 and 443, followed by a rule to deny all other traffic. For example: `permit tcp any any eq 80` and `permit tcp any any eq 443`.

What is the difference between 'drop' and 'reject'?

Some firewalls offer both 'drop' (or 'deny') and 'reject' actions. 'Drop' silently discards the packet, giving no response to the sender. 'Reject' discards the packet but sends an ICMP 'destination unreachable' error back to the sender. Dropping traffic is generally considered more secure as it does not reveal information about the firewall's presence.

What is an inbound vs. outbound ACL?

An inbound ACL is applied to traffic entering a router or firewall interface. An outbound ACL is applied to traffic leaving an interface. The direction is crucial for applying the correct security policy.

Why should I put more specific rules at the top of an ACL?

Because ACLs are processed from top to bottom, more specific rules should always be placed before more general rules. If a general rule (like `permit ip any any`) is placed first, it will match all traffic, and your more specific rules below it will never be checked.

Can I edit an existing ACL?

It depends on the platform. Traditional numbered Cisco ACLs were difficult to edit; you often had to delete and re-create the whole list. Modern named ACLs and sequence numbers on many platforms (like Cisco, Arista, Juniper) make it easy to insert, delete, or modify individual rules.

What is the purpose of a 'remark' in an ACL?

A 'remark' or 'description' is a comment you can add to an ACL. It does not affect the logic but is a critical best practice for documenting the purpose of a rule or the entire list, making it much easier for you or others to understand in the future.

What is a firewall policy in Fortinet?

In Fortinet's FortiOS, a firewall policy is the equivalent of an ACL rule. It ties together a source interface, destination interface, source address object, destination address object, service (port/protocol), and an action (accept or deny).

What is a 'term' in a Juniper firewall filter?

In Juniper's Junos OS, a firewall filter (the equivalent of an ACL) is made up of one or more 'terms'. Each term is like an individual rule within the ACL, containing match conditions (the 'from' statement) and an action (the 'then' statement).

What is a 'chain' in MikroTik?

In MikroTik's RouterOS, a 'chain' determines the flow of traffic that the firewall rule will apply to. The most common chains are 'input' (for traffic destined for the router itself), 'output' (for traffic originating from the router), and 'forward' (for traffic passing through the router from one interface to another).

Do I need an ACL on my home network?

Your home router has a built-in stateful firewall that, by default, blocks all unsolicited incoming traffic from the internet, which is a form of an ACL. For most home users, this default configuration is sufficient. Advanced users might create custom rules for things like port forwarding.

Can a misconfigured ACL take my network offline?

Yes, absolutely. A misconfigured ACL can easily block legitimate traffic, including access to critical servers, the internet, or even remote management access to the network device itself. It is crucial to be careful and, if possible, test rules before applying them to a production device.

How does IPv6 handle ACLs?

IPv6 uses a similar concept of ACLs to filter traffic. However, instead of wildcard masks, IPv6 ACLs use the simpler CIDR prefix length (e.g., /64) to specify address ranges. This makes writing rules for IPv6 generally more straightforward.

Should I hire a security professional to configure my firewall?

For any business network, firewall and ACL configuration is a critical security task that should be handled by a qualified network security professional. They can design and implement a comprehensive security policy that protects the network from threats while ensuring that legitimate business traffic is not impacted.