53

Firewall

Packet Filter

Packet filtering enables you to configure your router to block specified internal/external users (IP

address) from Internet access, or you can disable specific service requests (Port number) to / from

the Internet. This configuration program allows you to set up different filter rules for different users

based on their IP addresses or their network Port number. The relationship among all filters is “or”

operation, which means that the router checks these different filter rules one by one, starting from the

first rule. As long as one of the rules is satisfied, the specified action will be taken.

Rule Name:

User defined description for entry identification. The maximum name length is 32

characters, and then can choose an application that they want from the listbox.

Source IP address / Source Subnet Mask:

This is an Address-Filter used to allow or block traffic

to/from particular IP address(es). Enter the IP & subnet mask you want to filter. If you leave empty or

0.0.0.0, it means any IP address.

Destination IP address / Destination Subnet Mask:

This is an Address-Filter used to allow or

block traffic to/from particular IP address(es). Enter the IP & subnet mask you want to filter. If you

leave empty or 0.0.0.0, it means any IP address.

Source Port:

This Port or Port Range defines the ports allowed by the Remote/WAN to connect to

the application. Default is set from range 0 ~ 65535. It is recommended that only advance user is

to configure this feature.

Destination Port:

This is the Port or Port Range that defines the port of the application.

Protocol:

Specify the packet type (TCP, UDP, TCP/UDP) that the rule applies to. Select TCP if you

wish to search for the connection-based application service on the remote server using the port

number. Or select UDP if you want to search for the connectionless application service on the remote

server using the port number.

Direction:

Determine whether the rule is for outgoing packets or for incoming packets.

Add:

Click this button to add a new packet filter rule and the added rule will appear at the bottom

table.

54

Edit:

Check the Rule No. you wish to edit, and then click “Edit”.

Delete:

Check the Rule No. you wish to delete, and then click “Delete”.

MAC Filter

A MAC (Media Access Control) address is the unique network hardware identifier for each PC on your

network’s interface (i.e. its Network Interface Card or Ethernet card). Using your router’s MAC

Address Filter function, you can configure the network to block specific machines from accessing your

LAN.

To filter a specific MAC address, enter the MAC address in the blank provided then press Add.

The format of MAC address-- could be: xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx

Block WAN Ping

This feature is to be enabled when you want the public WAN IP address on your 7800 device not to

respond to any ping command.

When activating Block WAN PING feature, check the Enable box then click the Apply button. This

feature is deactivated by default.

55

Virtual Server

Virtual Server allows you to direct incoming traffic from WAN side (identified by Protocol and

External port) to the Internal server with private IP address on the LAN side. The Internal port is

required only if the external port needs to be converted to a different port number used by the

server on the LAN side.

In TCP and UDP networks a port is a 16-bit number used to identify which application program

(usually a server) incoming connections should be delivered to. Some ports have numbers that are

pre-assigned to them by the IANA (the Internet Assigned Numbers Authority), and these are

referred to as “well-known ports”. Servers follow the well-known port assignments so clients can

locate them.

If you wish to run a server on your network that can be accessed from the WAN (i.e. from other

machines on the Internet that are outside your local network), or any application that can accept

incoming connections (e.g. Peer-to-peer/P2P software such as instant messaging applications and

P2P file-sharing applications) and are using NAT (Network Address Translation), then you need to

configure your router to forward these incoming connection attempts using specific ports to the PC on

your network running the application. You also need to use port forwarding if you wish to host

an online game server.

Examples of well-known and registered port numbers are shown below, for further information,

please see IANA’s website at:

Well-known and Registered Ports

Port Number

Protocol

Description

20

TCP

FTP Data

21

TCP

FTP Control

22

TCP & UDP

SSH Remote Login Protocol

23

TCP

TElnet

25

TCP

SMTP (simple Mail Transfer Protocol)

53

TCP & UDP

DNS (Domain Name Server)

69

UDP

TFTP (Trivial File Transfer Protocol)

80

TCP

World Wide Web HTTP

110

TCP

POP3 (Post Office Protocol version 3)

119

TCP

NEWS (Network News Transfer Protocol)

123

UDP

NTP (Network Time Protocol)

161

TCP

SNMP

443

TCP & UDP

HTTPS

1503

TCP

T.120

1720

TCP

H.323

4000

TCP

ICQ

7070

UDP

Real Audio

56

Port Mapping

Application:

Select the service you wish to configure.

Protocol:

A protocol is automatically applied when an Application is selected from the listbox or

you may select a protocol type which you want.

External Port & Internal Port:

Enter the public port number & range you wish to configure.

Internal IP Address:

Enter the IP address of a specific internal server to which requests from the

specified port is forwarded.

Add:

Click to add a new virtual server rule. Click again and the next figure appears.

Edit:

Check the Edit radio button to display the parameter of the selected application, then after

changing the parameters click the Edit/Delete button to apply the changes.

Delete:

To remove a port mapping application, check the Remove box of the selected application

then click the Edit/Delete button.

Since NAT acts as a “natural” Internet firewall, your router protects your network from accessed by

outside users, as all incoming connection attempts point to your router unless you specifically

create Virtual Server entries to forward those ports to a PC on your network. When your router

needs to allow outside users to access internal servers, e.g. a web server, FTP server, Email server

or game server, the router can act as a “virtual server”. You can set up a local server with

a specific port number for the service to use, e.g. web/HTTP (port 80), FTP (port 21), Telnet (port

23), SMTP (port 25), or POP3 (port 110). When an incoming access request the router for a

specified port is received, it is forwarded to the corresponding internal server.

For example, if you set the port number 80 (Web/HTTP) to be mapped to the IP Address

192.168.1.2, then all incoming HTTP requests from outside users are forwarded to the local server

(PC) with the IP address of 192.168.1.2. If the port is not listed as a predefined application, you need

to add it manually.

In addition to specifying the port number used, you also need to specify the protocol used. The

protocol is determined by a particular application. Most applications use TCP or UDP, however you

may also specify other protocols using the drop-down Protocol menu. Setting the protocol to “all”

causes all incoming connection attempts using all protocols on all port numbers to be forwarded to the

specified IP address.

57

DMZ

The DMZ Host is a local computer exposed to the Internet. When setting a particular internal IP

address as the DMZ Host, all incoming packets that do not use a port number which is already

used by any other Virtual Server entries will first be checked by the Firewall and NAT algorithms

before it is passed to the DMZ host.