030-300564 Rev A

41

August 2009

User Guide

ProLine G90 (Models 6100, 6110)

•

Custom: Select this option to edit the firewall configuration directly. When

Custom is selected, the

edit

button will be clickable. Clicking

edit

will open

the

Custom Rules

screen, which allows for user customization of modem

security settings.

Remote Logging

Note: The syslog server must be configured to listen on udp port 514, which is usually the default port. In order

for the logs to be saved to the syslog server, the server should be configured to save the logs to a file. Some of the

free syslog servers available on the Internet are kiwisyslog, MT_syslog and 3Csyslog.

Enable

Click this check box to enable the modem to send firewall logs to a syslog server. By

default, remote logging is disabled (unchecked).

Remote IP Address

Displays the IP address of the syslog server machine to which the diagnostics logs to

be sent.

12.1.1

Custom Rules

The following screen will appear if you select

Custom

and then

OK

from the

Security Level

screen and click the

edit

button (

Security > Security Level > Custom Rules

).

The

Custom Rules

screen allows you to configure the

security parameters on your Inbound and Outbound traffic. Inbound rules will restrict inbound traffic from the WAN

to the LAN. Outbound rules will restrict outbound traffic from the LAN to WAN. If you change the settings in this

screen, click

save

. If you click

cancel

, the screen will return to its previous settings.

IMPORTANT

: Custom security is an advanced configuration option that allows you to edit the firewall

configuration directly. Only expert users should attempt this. It is recommended that you do not change the settings

in this screen. If you need to reset your modem to factory default settings, follow the instructions in section 13.2.1,

“Backup/Restore,” to restore the modem to default settings.

NOTE:

The default security setting is applied if a packet does not match any defines rules. Clicking

Save

allows the

firewall rules to be saved to flash (a temporary storage area in your modem).

030-300564 Rev A

42

August 2009

User Guide

ProLine G90 (Models 6100, 6110)

Security Default

Select the option to allow or deny default action to be taken if no rule is found to

match the given packet.

•

Allow: Allow the packet if no rule matches it.

•

Deny:

Block the packet if no rule matches it.

Rule Name

Displays the name of the new rule.

Type

Select the option to allow or deny the packet matching this rule.

•

Allow: Allow the packet matching this rule.

•

Deny: Block the packet matching this rule.

Protocol

Click this drop-down menu to select the protocol for the new rule: TCP, UDP,

Protocol Number, ICMP Type, or All.

Source Address

Displays the source address of the packet to check the rule against.

Destination Address

Displays the destination address of the packet to check the rule against.

Source Port

Displays the source port of the packet to check the rule against.

Destination Port

Displays the destination port of the packet to check the rule against.

Mode

Click this drop-down menu to specify whether or not packets need to be logged: Log

or No Log.

Direction

Click this drop-down menu to select the traffic direction for which the rule is applied:

Inbound, Outbound, or Both.

12.2

Security Services

This section discusses the

Security Services

screens (ALG, Port Forwarding, and Port Triggering) of your modem

and guides you through the configurable settings.

030-300564 Rev A

43

August 2009

User Guide

ProLine G90 (Models 6100, 6110)

12.2.1

ALG

The following screen will appear if you select

Security > Services > ALG

from the main menu. This screen enables

you to configure application-layer modem (ALG) services for your modem by clicking on the check box of each

service that you want to enable (a check mark will appear in the box). If you change the settings in this screen, click

apply

and then

OK

. If you click

Cancel

, the screen will return to its previous settings.

Enabling an ALG service opens the IP ports associated with the corresponding service. For example, if you have an

IPSec client running on a LAN-side PC attached to the modem, it is necessary to enable the IPSec ALG. Enabling

IPSec opens the default ports used by IPSec, 500 and 1500, so that traffic to and from the IPSec client may pass

through.

NOTE:

When the firewall level is set to “High,” some services may not be configurable.

FTP

Click this check box to enable the FTP ALG.

H323

Click this check box to enable the H323 ALG.

TFTP

Click this check box to enable the TFTP ALG.

PPTP

Click this check box to enable the PPTP ALG.

IPSec

Click this check box to enable the IPSec ALG.

SIP

Click this check box to enable the SIP ALG.

030-300564 Rev A

44

August 2009

User Guide

ProLine G90 (Models 6100, 6110)

12.2.2

Port Forwarding

The following screen will appear if you select

Security > Services > Port Forwarding

from the main menu. This

screen allows you to forward incoming traffic from the outside network to a range of WAN ports on an IP address

on the LAN. You can also enable traffic from a local network (to a specified port range) to be allowed to go outside

of the network in medium firewall settings. Displayed are currently active port forwarding services. You can add

more pre-defined services (or create your own services) by selecting the appropriate entry in the

Service Name

drop-down menu.

Current Profile

Click this drop-down menu to display the NAT (Network Address Translation)

services available. All of the settings on this screen are associated with a Service

Profile. The service profile is selected from the

Current Profile

drop-down menu. If

no profile has been created, the settings chosen are applied to the default profile.

The

Service Profile

drop-down menu located in the

Home > Connection Overview

> Edit

screen (on the

Home

screen, click the

Add/Edit Connection

link) associates a

service profile with one or more of your “Connection Profiles.” This means different

connections can allow different services to be associated with them. Use the

Current

Profile

drop-down menu to select a profile to edit. However the profile will be

activated from the

Home > Connection Overview > Edit

screen.

•

To create a new service profile, click the

new

button.

•

To remove a service profile, click the

delete

button (not available for the

Default profile).

•

To change the name of a service profile, click the

edit

button.

030-300564 Rev A

45

August 2009

User Guide

ProLine G90 (Models 6100, 6110)

Service Name

Click this drop-down menu to select the NAT (Network Address Translation) service

for configuring your modem.

Service Name

lists all of the configured services

available for the selected Service Profile. To enable a predefined or custom service,

select it from the drop-down menu, and click the

enable

button. The

Enable

PreDefined Service

window will open, showing a detailed description of that service

and will step you through the process of enabling a service. The modem will then

configure the port(s) to enable the service. Refer to section 12.2.2.2, “Enable

PreDefined Service.”

•

To delete the selected service from the

Service Name

listing, click the

delete

button.

•

To edit a Custom Defined Service, including allowing you to delete an

existing rule from the service or add new rule to the service, click the

edit

button. Refer to section 12.2.2.1, “Edit Custom Service.”

UPnP Enable

Click this check box to enable UPnP (Universal Plug and Play), allowing the modem

to seamlessly connect and communicate with other UPnP-enabled devices, without

the need for user configuration, centralized servers, or product-specific device

drivers. When enabled, UPnP advertises the presence of your modem on the LAN.

Click

OK

to restart the modem and save the changes. The modem will then configure

itself to respond to UPnP messages. By default,

UPnP Enable

is disabled.

Service Name

Displays the Service Name of a previously enabled NAT service.

LAN IP Address

Displays the LAN IP Address of a previously enabled NAT service.

details

Click this button to open the

Service Details

screen (

Security > Services > Port

Forwarding > Service Details

). This allows you to view

details of the selected

enabled port forwarding service.

delete

Click this button to delete an enabled NAT service.

new custom service

Click this button to open the

New Custom Service

screen (

Security > Services >

Port Forwarding > New Custom Service

), which will step you through the process

of creating a custom service entry.

Firewall is enabled

Click this link to open the

Security Level

screen (

Security > Security Level

),

allowing you to modify your firewall settings as needed. Refer to section

Static NAT

Click this button to open the Static NAT pop-up window. Use this window to map a

private IP address to a public IP address, where the public address is WAN IP address

of the modem. This allows an internal host to have an unregistered (private) IP

address and still be reachable over the Internet.

•

To enable a Static NAT device, click the drop-down menu to select a

Static

NAT Device

, type the IP Address of the device that will function as the

default NAT destination in the provided field, and click the

enable

button.

•

To disable a static NAT device, click the drop-down menu to select a

Static

NAT Device

, and click the

disable

button.

•

Click

cancel

to return to the

Port Forwarding

screen without implementing

any changes.