Page 131 / 139
Scroll up to view Page 126 - 130
Intrusion detection and prevention
Intrusion detection and prevention can be enabled for both policies and port mappings. In
this example we are using a port mapping. The policy setup is quite similar.
In this example a mail server with IP 192.168.2.4 and a web server with IP 192.168.2.5 is
connected to the DMZ interface on the firewall.
To set up intrusion detection and prevention to a web server on the DMZ net, follow these
steps:
1.
Create a Port mapping for the web server,
Firewall->Port Mapping
:
Under
Configured mappings
, click
Add new
Page 132 / 139
132
2.
Set up the newly created port mapping:
Name the rule
map_www
Select service
http-in-all
Enter pass to IP:
192.168.2.5
(the IP of the web server)
Check the
Intrusion detection / prevention
option
Select mode
Prevention
Enable email alerting by checking the
Alerting
box
Click
Apply
Page 133 / 139
The new mapping is now in the list.
3.
Setup email server and enable alerting,
System->Logging
:
Check
Enable E-mail alerting for IDS/IDP events
Select sensitivity
Normal
Enter SMTP server IP (email server):
192.168.2.4
Enter sender:
Enter E-mail address 1:
Enter E-mail address 2:
Click
Apply
4.
Click
Activate
and wait for the firewall to restart.
When attacks are stopped by the firewall it will listed in the logs. Since we enabled email
alerting in this example, emails will also be sent to the users
webmaster
and
steve
.
To get more information about the attack, copy the attack string and paste it into the
By
message
box at the following address:
(you can
of course also write the attack string manually in the box).
In this example we used the
prevention
mode. This means that the firewall will block all
attacks. In
Inspection only
mode nothing will be blocked, the firewall will only log the attacks
and send email alerts (if that is enabled).
Page 134 / 139
134
Traffic shaping
In these examples we assume that the WAN port of the firewall is connected to Internet
with an up and downstream bandwidth of 2 mbps.
Limit bandwidth to a service
To limit bandwidth a service (in this case FTP) can use, follow these steps:
1.
Create a new policy rule. Under
Firewall->Policy
click
LAN->WAN
.
Click
Add new
.
2.
Setup he new policy
Name the rule
allow_ftp
Set position to
2
Set action to
allow
Select service:
ftp_outbound
Schedule should be
always
Check the
Traffic shaping
box and enter
400
as up and downstream limit.
Click
Apply
3.
Click
Activate
and wait for the firewall to restart.
All FTP traffic from computers on the LAN network will now be limited to the total
bandwidth of 400kbit/s in both directions.
Limit bandwidth to one or more IP addresses
The example above can be modified to only limit FTP bandwidth from one or more IP
addresses. In the policy setup, add the IP addresses that should be limited in the Source Nets
box.
Now all FTP traffic from
192.168.1.125
on the LAN network will be limited to 400kbit/s in
both directions. If more than one IP is required, a comma-separated list or a network can be
entered (eg
or
192.168.1.0/24
).
Page 135 / 139
Guarantee bandwidth to a service
To set up traffic shaping to guarantee a service a certain amount of bandwidth, follow
these steps:
1.
Set the interface speed for the WAN interface under
System->Interfaces:
Click
Edit
for the WAN interface.
Check the
Traffic shaping
checkbox.
Enter upstream bandwidth:
2000
(2mbit/s)
Enter downstream bandwidth:
2000
(2mbit/s)
Click
Apply
2.
Create a new policy rule. Under
Firewall->Policy
click
LAN->WAN
.
Click
Add new
.
3.
Setup the new policy:
Name the rule
allow_ftp
Set position to
2
Set action to
allow
Select service:
ftp_outbound
Schedule should be
always
Check the
Traffic shaping
box and enter
1000
as up and downstream guarantee.
19216811.live