ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual

4-6

Firewall Protection and Content Filtering

v1.0, September 2007

An example of the menu for defining or editing a rule is shown in

Figure 4-3

. The parameters are:

•

Service

. From this list, select the application or service to be allowed or blocked. The list

already displays many common services, but you are not limited to these choices. Use the

Services menu to add any additional services or applications that do not already appear.

•

Action

. Choose how you would like this type of traffic to be handled. You can block or allow

always, or you can choose to block or allow according to the schedule you have defined in the

Schedule menu.

•

Source Address

. Specify traffic originating on the LAN (outbound) or the WAN (inbound),

and choose whether you would like the traffic to be restricted by source IP address. You can

select Any, a Single address, or a Range. If you select a range of addresses, enter the range in

the start and finish boxes. If you select a single address, enter it in the start box.

•

Destination Address

.The Destination Address will be assumed to be from the opposite (LAN

or WAN) of the Source Address. As with the Source Address, you can select Any, a Single

address, or a Range unless NAT is enabled and the destination is the LAN. In that case, you

must enter a Single LAN address in the start box.

•

Log

. You can select whether the traffic will be logged. The choices are:

–

Never — no log entries will be made for this service.

–

Match — traffic of this type that matches the parameters and action will be logged.

Inbound Rules (Port Forwarding)

Because the FVG318 uses Network Address Translation (NAT), your network presents only one

IP address to the Internet, and outside users cannot directly address any of your local computers.

However, by defining an inbound rule you can make a local server (for example, a Web server or

game server) visible and available to the Internet. The rule tells the firewall to direct inbound

traffic for a particular service to one local server based on the destination port number. This is also

known as port forwarding.

Remember that allowing inbound services opens holes in your VPN firewall. Only enable those

ports that are necessary for your network. Following are two application examples of inbound

rules:

Note:

Some residential broadband ISP accounts do not allow you to run any server

processes (such as a Web or FTP server) from your location. Your ISP may

periodically check for servers and may suspend your account if it discovers any

active services at your location. If you are unsure, refer to the Acceptable Use

Policy of your ISP.

ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual

Firewall Protection and Content Filtering

4-7

v1.0, September 2007

Inbound Rule Example: A Local Public Web Server

If you host a public Web server on your local network, you can define a rule to allow inbound Web

(HTTP) requests from any outside IP address to the IP address of your Web server at any time of

day. This rule is shown in

Figure 4-4

:

Inbound Rule Example: Allowing a Videoconference from Restricted Addresses

If you want to allow incoming video conferencing to be initiated from a restricted range of outside

IP addresses, such as from a branch office, you can create an inbound rule. In the example shown

in

Figure 4-5

, CU-SEEME connections are allowed only from a specified range of external IP

addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that

do not match the allowed parameters.

Figure 4-4

Figure 4-5

ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual

4-8

Firewall Protection and Content Filtering

v1.0, September 2007

Considerations for Inbound Rules

•

If your external IP address is assigned dynamically by your ISP, the IP address may change

periodically as the DHCP lease expires. Consider using the Dynamic DNS feature in the

Advanced menus so that external users can always find your network.

•

If the IP address of the local server PC is assigned by DHCP, it may change when the PC is

rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the

PC’s IP address constant.

•

Each local PC must access the local server using the PC’s local LAN address (192.168.0.99 in

Local Public Web Server example). Attempts by local PCs to access the server using the

external WAN IP address will fail.

Outbound Rules (Service Blocking)

The FVG318 allows you to block the use of certain Internet services by PCs on your network. This

is called service blocking or port filtering. You can define an outbound rule to block Internet

access from a local PC based on:

•

IP address of the local PC (source address)

•

IP address of the Internet site being contacted (destination address)

•

Time of day

•

Type of service being requested (service port number)

Following is an application example of an outbound rule:

Outbound Rule Example: Blocking Instant Messenger

If you want to block Instant Messenger usage by employees during working hours, you can create

an outbound rule to block that application from any internal IP address to any external address

according to the schedule that you have created in the Schedule menu.

ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual

Firewall Protection and Content Filtering

4-9

v1.0, September 2007

.

Order of Precedence for Rules

As you define new rules, they are added to the tables in the Rules table, as shown below:

For any traffic attempting to pass through the firewall, the packet information is subjected to the

rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules

at the bottom. In some cases, the order of precedence of two or more rules may be important in

determining the disposition of a packet. The Up or Down buttons allow you to relocate a defined

rule to a new position in the table.

Figure 4-6

Figure 4-7

ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual

4-10

Firewall Protection and Content Filtering

v1.0, September 2007

Default DMZ Server

Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a

response to one of your local computers or a service for which you have configured an inbound

rule. Instead of discarding this traffic, you can have it forwarded to one computer on your network.

This computer is called the Default DMZ Server.

The Default DMZ Server feature is helpful when using some online games and video conferencing

applications that are incompatible with NAT. The firewall is programmed to recognize some of

these applications and to work properly with them, but there are other applications that may not

function well. In some cases, one local PC can run the application properly if that PC’s IP address

is entered as the Default DMZ Server for a particular service.

The DMZ Server screen is used for setting up a firewall rule for traffic coming from the WAN to

the DMZ. Inbound traffic for a service can be configured to be blocked or allowed, by default, or

set per a schedule (defined on the Schedule page under the Security menu).

To assign a computer or server to be a Default DMZ server:

1.

Click the

DMZ WAN Rules

tab.

2.

When the DMZ WAN Rules screen displays, click

Add.

3.

From the

Service

pull-down menu, select the service to allow or block.

This is a unique name assigned to the service. The name usually indicates the type of traffic

the rule covers such as ftp, ssh, telnet, ping, etc. Services not already in the list can be added

from the Security < Services screen.

4.

Enter the

Send to DMZ Service

address of the device on the DMZ which is hosting the server.

Select the port number checkbox and enter a port number ONLY if the server is listening on a

port other than the default. For example, if a machine on the DMZ side is running a telnet

server on port 2000, then select the Translate to Port Number checkbox and type 2000 in the

Port field. if it is listening on the default port 23, then the box can be left unchecked.

5.

From the

WAN Users

pull-down menu, select the specific IP addresses on the WAN that will

be affected by the rule. This rule will affect packets for the selected service to the defined IP

address or range of IP addresses on the WAN side.

•

Any: All IP addresses on the WAN will be affected by the rule.

•

Single Address: A single WAN IP address will be affected by the rule.

•

Address Range: A range of IP addresses on the DMZ network will be affected by the rule.

6.

Click

Apply

to save your settings.