MBR L13

–

User’s

Guide

36

the L13) according to a flexible and configurable set of rules. These rules are designed to prevent unwanted intrusions

from the outside while allowing home users access to the Internet services that they require.

The firewall rules specify what types of services available on the Internet may be accessed from the local network and

what types of services available in the local network may be accessed from the Internet. Each request for a service

that the firewall receives, whether originating in the Internet or from a computer in the home network, is checked

against the set of firewall rules to determine whether the request should be allowed to pass through the firewall. If

the request is permitted to pass, then all subsequent data associated with this request (a "session") will also be

allowed to pass, regardless of its direction.

For example, when you point your Web browser to a Web page on the Internet, a request is sent out to the Internet

for this page. When the request reaches the L13, the firewall will identify the request type and origin

—

HTTP and a

specific PC in your home network in this case. Unless you have configured access control to block requests of this type

from this specific computer, the firewall will allow the request to pass onto the Internet. When the Web page is

returned from the Web server, the firewall will associate it with this session and allow it to pass, regardless of whether

HTTP access from the Internet to the home network is blocked or permitted. The important issue to note here is that

it is the

origin of the request

, not subsequent responses to this request, that determines whether a session can be

established or not.

These services include Telnet, FTP, HTTP, HTTPS, DNS, IMAP, POP3 and SMTP. The list of allowed services at

Maximum

Security

mode can be edited in the Access Control page. Note: Some applications (such as some Internet messengers

and Peer-To-Peer client applications) tend to use these ports if they cannot connect with their own default ports.

When opening those ports, these applications will not be blocked outbound, even at Maximum Security Level.



To configure L13

basic security settings:

1

.

Navigate to

Services



Firewall

(or

Home



Firewall

).

Figure 37: Firewall - General

2

.

Choose between the three predefined security levels described in the table above.

3

.

Select

Block IP Fragments

to protect the local network from a common type of hacker attack that could make

use of fragmented data packets to sabotage your home network. Note that VPN over IPSec and some UDP-

MBR L13

–

User’s

Guide

37

based services make legitimate use of IP fragments. You should be careful not to block IP fragments from the

local network if you want to make use of these select services.

4

.

Click

OK

to save the settings.

Note:

Using the Minimum Security setting may expose the home network to significant security risks, and therefore

should only be used when necessary and only for short periods of time.

3.7.1.2

Access Control

You may want to block specific computers within the local network (or even the whole network) from accessing

certain services on the Internet. For example, you may want to prohibit one computer from surfing the Web, another

computer from transferring files using FTP, and the whole network from receiving incoming e-mail. Access Control

defines restrictions on the types of requests that may pass from the local network out to the Internet, and thus may

block traffic flowing in both directions. It can also be used to allow specific services when maximum security is

configured. In the e-mail example given above, you may prevent computers in the local network from receiving e-mail

by blocking their

outgoing

requests to POP3 servers on the Internet. There are numerous services you may want to

consider blocking, such as popular games and file sharing servers.

Note:

When Web Filtering is enabled, HTTP services cannot be blocked by Access Control.



To allow or restrict services:

1

.

In the Firewall menu, click the

Access Control

link. The

Access Control

screen appears.

Figure 38: Firewall - Access Control

2

.

Click the

New Entry

link. The

Add Access Control Rule

screen appears.

Figure 39: Add Access Control Rule

3

.

Under

Address,

select the computer or group of computers on which you would like to apply the access-

control rule. Select an address or a name from the list, or

any

to apply the rule on all the hosts that are

connected to L13 local network.

4

.

Under

Protocol

,

select the type of protocol to use.

To expand the list of available protocols, select

Show All Services

.

MBR L13

–

User’s

Guide

38

Note

:

When Web Filtering is enabled, HTTP services cannot be blocked.

5

.

To display the following message to the client: “Access Denied –

this computer is not allowed to surf the

WAN. Please contact your admin,” select

Reply an HTML page to the blocked client

.

When this option is

cleared, the client's packets are simply ignored and no notification is issued.

6

.

Under

Schedule

, select a schedule rule that defines the time period during which the access-control rule is to

be applied.

7

.

Click

OK

. The

Access Control

screen displays a list of all the rules that are currently defined, including the rule

you added.

Figure 40: Firewall - Access Control Rules

Once an access-control rule has been defined, you can edit it as necessary.



To modify an access-control rule:

1

.

In the Access Control screen, click the

action icon of the rule. The

Edit Access Control Rule

screen

appears (see

Figure 41: Edit Access Control Rule

).

Figure 41: Edit Access Control Rule

2

.

Edit the parameters as necessary.

3

.

Click the

OK

button to save your changes and return to the Access Control screen.

You can disable an access control rule in order to make a service available without having to remove the rule from the

Access Control screen. This may be useful if you wish to make the service available only temporarily and expect that

you will want to reinstate the restriction in the future.



To temporarily disable a rule:

Clear the check box next to the service name.

MBR L13

–

User’s

Guide

39



To reinstate a rule at a later time

Reselect the check box.



To remove a rule:

Click the

action icon for the service. The service will be permanently removed.

3.7.1.3

Port Forwarding

In its default state, the L13 blocks all external users from connecting to or communicating with your network.

Therefore the system is safe from hackers who may try to intrude on the network and damage it. However, you may

want to expose your network to the Internet in certain limited and controlled ways in order to enable some

applications to work from the LAN (game, voice and chat applications, for example) and to enable Internet-access to

servers in the local network. The Port Forwarding feature supports both of these functionalities. If you are familiar

with networking terminology and concepts, you may have encountered this topic referred to as "Local Servers".

The

Port Forwarding

screen enables you to define the applications that require special handling by the L13. All you

have to do is select the application's protocol and the local IP address or name of the computer that will be using or

providing the service. If required, you may add new protocols in addition to the most common ones provided by L13.

For example, if you wanted to use a File Transfer Protocol (FTP) application on one of your PCs, you would simply

select

FTP

from the list and enter the local IP address or host name of the designated computer. All FTP-related data

arriving at the L13 from the Internet will henceforth be forwarded to the specified computer.

Similarly, you can grant Internet users access to servers inside your local network, by identifying each service and the

PC that will provide it. This is useful, for example, if you want to host a Web server inside your local network. When an

Internet user points his/her browser to the L13 external IP address, the gateway will forward the incoming HTTP

request to your Web server.

However, there is a limitation that must be considered. With one external IP address (the L13 main IP address),

different applications can be assigned to your LAN computers, however each type of application is limited to use one

computer. For example, you can define that FTP will use address X to reach computer A and Telnet will also use

address X to reach computer A, but attempting to define FTP to use address X to reach both computers A and B will

fail. L13 therefore provides the ability to add additional public IP addresses to port forwarding rules, which you must

first obtain from your ISP and enter into the

NAT IP Addresses Pool

(refer to Section

3.7.1.8). You will then be able to

define FTP to use address X to reach computer A and address Y to reach computer B.

Additionally, port forwarding enables you to redirect traffic to a different port instead of the one to which it was

designated. For example, you have a Web server running on your PC on port 8080 and you want to grant access to this

server to anyone who accesses L13 via HTTP. To accomplish this, you will have to define a port forwarding rule for the

HTTP service, with the PC's IP or host name, as well as specify 8080 in the

Forward to Port

field. All incoming HTTP

traffic will now be forwarded to the PC running the Web server on port 8080.

When setting a port forwarding service, you must ensure that the port is not already in use by another application,

which may stop functioning. A common example is when using SIP signaling in Voice over IP

—

the port used by the

gateway's VoIP application (5060) is the same port on which port forwarding is set for LAN SIP agents.



To add a new port forwarding service:

1

.

In the WBM, select the

Firewall

menu item under the

Services

tab, and click the

Port Forwarding

link. The

Port Forwarding

screen appears.

MBR L13

–

User’s

Guide

40

Figure 42: Port Forwarding

2

.

Click the

New Entry

link. The

Add Port Forwarding Rule

screen appears.

Figure 43:

Add Port Forwarding Rule

3

.

Select the

Specify Public IP Address

check box if you would like to apply this rule on the L13 non-default IP

address defined in the

NAT

screen (refer to Section

3.7.1.8.1). The screen refreshes.

Figure 44: Specify Public IP Address

4.

Enter the additional external IP address in the

Public IP Address

field.

5.

The

Local Host

drop-down menu lists your available LAN computers. Select a computer that will provide the

service (the "server"). Note that unless an additional external IP address has been added, only one LAN

computer can be assigned to provide a specific service or application.

6.

The

Protocol

drop-down menu lets you select or specify the type of protocol that will be used. Selecting the

Show All Services

option expands the list of available protocols. Select a protocol.