CompTIA Security+ (SY0-601) — Question 91

An administrator is configuring a firewall rule set for a subnet to only access DHCP, web pages, and SFTP, and to specifically block FTP. Which of the following would BEST accomplish this goal?

Answer options

• A. [Permission Source Destination Port] Allow: Any Any 80 - Allow: Any Any 443 - Allow: Any Any 67 - Allow: Any Any 68 - Allow: Any Any 22 - Deny: Any Any 21 - Deny: Any Any
• B. [Permission Source Destination Port] Allow: Any Any 80 - Allow: Any Any 443 - Allow: Any Any 67 - Allow: Any Any 68 - Deny: Any Any 22 - Allow: Any Any 21 - Deny: Any Any
• C. [Permission Source Destination Port] Allow: Any Any 80 - Allow: Any Any 443 - Allow: Any Any 22 - Deny: Any Any 67 - Deny: Any Any 68 - Deny: Any Any 21 - Allow: Any Any
• D. [Permission Source Destination Port] Allow: Any Any 80 - Allow: Any Any 443 - Deny: Any Any 67 - Allow: Any Any 68 - Allow: Any Any 22 - Allow: Any Any 21 - Allow: Any Any

Correct answer: A

Explanation

Option A is correct because it allows traffic for DHCP (ports 67 and 68), web (port 80), and SFTP (port 22), while explicitly denying FTP traffic (port 21). Option B incorrectly allows FTP by permitting port 21. Option C allows SFTP but denies DHCP, which contradicts the requirement. Option D denies DHCP and allows FTP, which also does not meet the specified needs.