4.7.1 IP Filter

25

The following security features can be configured:

±

“

Port Forwarding

”

±

“

Parental Control/URL Filter

”

±

“

DMZ Host

”

±

“

IP Filter

”

To access these pages:

1.

Select

Configuration

>

Security

. The following page opens.

Figure 4-28: Security setting page

2.

To access and configure specific security feature, click the corresponding tab in this page.

4.7.1

IP Filter

Stateful Firewall

Settings on this page are actually Firewall settings. A stateful Firewall tracks the movement of packets over

a period of time. If an outgoing packet includes a request for responses from certain types of incoming

packet, the packet is tracked to ensure that only those types of incoming packets are allowed through the

Firewall. Other types of traffic are blocked. Each time outbound packets are sent from an inside host to an

outside host, the following stateful information is logged by the Firewall:

±

source and destination addresses

±

port details; protocol type and range of source and destination ports

±

sequencing information

±

additional flags for each connection associated with that particular inside host

All inbound packets are compared against this logged information and any manually configured address

and port details. These packets are only allowed through the Firewall if an appropriate connection exists or

if a filter explicitly allows that traffic. Address and port details are configured by defining Firewall validators

and filters. This makes it very difficult for hackers to break through the stateful Firewall, because they

would need to know addresses, port numbers, sequencing information and individual connection flags for

an inside host.

Firewall policies

A Firewall policy is the name of the rule that applies to a data path between two classes of security

interface. You can add different address validator and filter rules to each policy in order to provide different

levels of security to the inside networks attached to the router. For example, if your DMZ (DeMilitarited

Zone) contains an FTP server that can be accessed by external hosts, the rules between the dmz and

external security interfaces will be less stringent than those between the internal and external security

interfaces. Policies exist by default:

±

between the external interface and the internal interface

±

between the external interface and the DMZ interface

±

between the DMZ interface and the internal interface

C. User Guide

26

Policies are set to block only the IP addresses specified in validator rules. If you have configured your

router and created security interfaces, the data paths between each of the router’s security interfaces look

like this:

Figure 4-29: Firewall policies between security interfaces

You can use the default, pre-configured Firewall policies, add new policies, and delete policies.

Port Filters

A Port Filter is a rule that determines how the Firewall should handle packets being transported on a policy

between two security interfaces. You can create separate filter rules based on:

±

the protocol type of the traffic allowed to be transported

±

which TCP/UDP port numbers the packets are allowed to be transported on

±

the name of the well-known protocol, service or application allowed to be transported

±

source and destination addresses

Whichever type of filter rule you use, you must also determine which direction packets should be allowed

to travel in:

±

inbound; permitted traffic is transported from the outside interface to the inside interface

±

outbound; permitted traffic is transported from the inside interface to the outside interface

±

both; inbound and outbound rules apply

IP Validators

An IP Validator is a rule that determines how the Firewall should handle packets received from or sent to a

specific IP address or a range of addresses. If you know the address details of a specific external host

whom you believe may attempt to infiltrate or damage your internal network, you can block traffic from that

host. Similarly, if an internal host is accessing an external web site that contains unacceptable material,

you can block their access to it. You must also determine which direction packets should be allowed to

travel in:

±

inbound; permitted traffic is transported from the outside interface to the inside interface

±

outbound; permitted traffic is transported from the inside interface to the outside interface

±

both; inbound and outbound rules apply

Note: If you create a filter and you want to change the direction that packets are allowed

to travel in, you must delete the original filter and create another.

dmz-external

dmz interface

(ipdmz)

internal interface

(iplan)

external interface

(ipwan)

Firewall

i

4.7.1.1 IP Filter page

27

4.7.1.1

IP Filter page

1.

Select the

IP Filter

tab. The following page opens.

Figure 4-30: IP Filter Settings

2.

You can select

Disable

or

Enable

to disable or enable IP Filtering (Firewall).

3.

If there are any rules already configured, you can edit or delete them in this page. Select

Edit

or

Delete

option accordingly.

all-out

ext-int

and

all-out

ext-dmz

port filter rules are configured

by default and should not be deleted. If

all-out

ext-int

port filter rule is deleted, internet

connection will not work and you will

have to create a new default ext-int policy port filter rule.

4.

To add a new Port Filter Rule or IP Validator Rule, click

Add

.

4.7.1.2

To add/edit a port filter rule or an IP validator rule

1.

In the I

P Filter Settings

, click the

Add

button to add, or the

Edit

icon to edit the rule. The following

page opens:

Warning: These are advanced settings and you should not change them unless you

completely understand how things work.

!

C. User Guide

28

Figure 4-31: Add IP Filtering Rule

2.

Type in Filter Rule Name.

3.

Select policy:

• ext-int

• ext-dmz

• dmz-int

4.

Select the direction to filter packets:

•

Outbound traffic

•

Inbound traffic

• Both

5.

Select Port Filter Rule or IP Validator Rule.

6.

Port Filter Rule:

Protocol

:

•

ALL

(Used for default Port Filter rule)

• TCP

• UDP

• ICMP

• GRE

Filter Action

:

•

Allow

(Allow specified packets in firewall)

•

Deny

(Deny specified packets in firewall)

Source IP Range

:

4.7.2 Parental Control/URL Filter

29

•

Start

•

End

Destination IP Range

:

•

Start

•

End

Source Port Range

:

•

Start

•

End

Destination Port Range

:

•

Start

•

End

Status

:

•

Enable (Enable Port Filter Rule)

•

Disable (Disable Port Filter Rule)

7.

IP Validator Rule:

IP address

:

•

SINGLE

(IP Validator Rule blocks single IP address)

•

SUBNET

(IP Validator Rule blocks (subnet) group of IP addresses)

IP address

Netmask

Status

:

•

Enable (Enable IP Validator Rule)

•

Disable (Disable IP Validator Rule)

8.

To confirm the settings, click

Apply

.

4.7.2

Parental Control/URL Filter

Parental Control feature provides the facility to block WAN side access from the specified internal PCs in

your network for a specified duration as configured by the user (Parent or administrator).

Many parents want to exercise some control over the Internet access from their child PCs. The Parental

Control feature will enable a new time based controlling feature. It will give the control to the parents/

administrators to control the traffic from different internal PCs connected to router.

1.

Select the

Parental Control/URL Filter

tab. The following page opens.