Page 66 / 176 Scroll up to view Page 61 - 65
ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual
4-6
Firewall Protection and Content Filtering
v1.0, September 2007
An example of the menu for defining or editing a rule is shown in
Figure 4-3
. The parameters are:
Service
. From this list, select the application or service to be allowed or blocked. The list
already displays many common services, but you are not limited to these choices. Use the
Services menu to add any additional services or applications that do not already appear.
Action
. Choose how you would like this type of traffic to be handled. You can block or allow
always, or you can choose to block or allow according to the schedule you have defined in the
Schedule menu.
Source Address
. Specify traffic originating on the LAN (outbound) or the WAN (inbound),
and choose whether you would like the traffic to be restricted by source IP address. You can
select Any, a Single address, or a Range. If you select a range of addresses, enter the range in
the start and finish boxes. If you select a single address, enter it in the start box.
Destination Address
.The Destination Address will be assumed to be from the opposite (LAN
or WAN) of the Source Address. As with the Source Address, you can select Any, a Single
address, or a Range unless NAT is enabled and the destination is the LAN. In that case, you
must enter a Single LAN address in the start box.
Log
. You can select whether the traffic will be logged. The choices are:
Never — no log entries will be made for this service.
Match — traffic of this type that matches the parameters and action will be logged.
Inbound Rules (Port Forwarding)
Because the FVG318 uses Network Address Translation (NAT), your network presents only one
IP address to the Internet, and outside users cannot directly address any of your local computers.
However, by defining an inbound rule you can make a local server (for example, a Web server or
game server) visible and available to the Internet. The rule tells the firewall to direct inbound
traffic for a particular service to one local server based on the destination port number. This is also
known as port forwarding.
Remember that allowing inbound services opens holes in your VPN firewall. Only enable those
ports that are necessary for your network. Following are two application examples of inbound
rules:
Note:
Some residential broadband ISP accounts do not allow you to run any server
processes (such as a Web or FTP server) from your location. Your ISP may
periodically check for servers and may suspend your account if it discovers any
active services at your location. If you are unsure, refer to the Acceptable Use
Policy of your ISP.
Page 67 / 176
ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual
Firewall Protection and Content Filtering
4-7
v1.0, September 2007
Inbound Rule Example: A Local Public Web Server
If you host a public Web server on your local network, you can define a rule to allow inbound Web
(HTTP) requests from any outside IP address to the IP address of your Web server at any time of
day. This rule is shown in
Figure 4-4
:
Inbound Rule Example: Allowing a Videoconference from Restricted Addresses
If you want to allow incoming video conferencing to be initiated from a restricted range of outside
IP addresses, such as from a branch office, you can create an inbound rule. In the example shown
in
Figure 4-5
, CU-SEEME connections are allowed only from a specified range of external IP
addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that
do not match the allowed parameters.
Figure 4-4
Figure 4-5
Page 68 / 176
ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual
4-8
Firewall Protection and Content Filtering
v1.0, September 2007
Considerations for Inbound Rules
If your external IP address is assigned dynamically by your ISP, the IP address may change
periodically as the DHCP lease expires. Consider using the Dynamic DNS feature in the
Advanced menus so that external users can always find your network.
If the IP address of the local server PC is assigned by DHCP, it may change when the PC is
rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the
PC’s IP address constant.
Each local PC must access the local server using the PC’s local LAN address (192.168.0.99 in
Local Public Web Server example). Attempts by local PCs to access the server using the
external WAN IP address will fail.
Outbound Rules (Service Blocking)
The FVG318 allows you to block the use of certain Internet services by PCs on your network. This
is called service blocking or port filtering. You can define an outbound rule to block Internet
access from a local PC based on:
IP address of the local PC (source address)
IP address of the Internet site being contacted (destination address)
Time of day
Type of service being requested (service port number)
Following is an application example of an outbound rule:
Outbound Rule Example: Blocking Instant Messenger
If you want to block Instant Messenger usage by employees during working hours, you can create
an outbound rule to block that application from any internal IP address to any external address
according to the schedule that you have created in the Schedule menu.
Page 69 / 176
ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual
Firewall Protection and Content Filtering
4-9
v1.0, September 2007
.
Order of Precedence for Rules
As you define new rules, they are added to the tables in the Rules table, as shown below:
For any traffic attempting to pass through the firewall, the packet information is subjected to the
rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules
at the bottom. In some cases, the order of precedence of two or more rules may be important in
determining the disposition of a packet. The Up or Down buttons allow you to relocate a defined
rule to a new position in the table.
Figure 4-6
Figure 4-7
Page 70 / 176
ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual
4-10
Firewall Protection and Content Filtering
v1.0, September 2007
Default DMZ Server
Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a
response to one of your local computers or a service for which you have configured an inbound
rule. Instead of discarding this traffic, you can have it forwarded to one computer on your network.
This computer is called the Default DMZ Server.
The Default DMZ Server feature is helpful when using some online games and video conferencing
applications that are incompatible with NAT. The firewall is programmed to recognize some of
these applications and to work properly with them, but there are other applications that may not
function well. In some cases, one local PC can run the application properly if that PC’s IP address
is entered as the Default DMZ Server for a particular service.
The DMZ Server screen is used for setting up a firewall rule for traffic coming from the WAN to
the DMZ. Inbound traffic for a service can be configured to be blocked or allowed, by default, or
set per a schedule (defined on the Schedule page under the Security menu).
To assign a computer or server to be a Default DMZ server:
1.
Click the
DMZ WAN Rules
tab.
2.
When the DMZ WAN Rules screen displays, click
Add.
3.
From the
Service
pull-down menu, select the service to allow or block.
This is a unique name assigned to the service. The name usually indicates the type of traffic
the rule covers such as ftp, ssh, telnet, ping, etc. Services not already in the list can be added
from the Security < Services screen.
4.
Enter the
Send to DMZ Service
address of the device on the DMZ which is hosting the server.
Select the port number checkbox and enter a port number ONLY if the server is listening on a
port other than the default. For example, if a machine on the DMZ side is running a telnet
server on port 2000, then select the Translate to Port Number checkbox and type 2000 in the
Port field. if it is listening on the default port 23, then the box can be left unchecked.
5.
From the
WAN Users
pull-down menu, select the specific IP addresses on the WAN that will
be affected by the rule. This rule will affect packets for the selected service to the defined IP
address or range of IP addresses on the WAN side.
Any: All IP addresses on the WAN will be affected by the rule.
Single Address: A single WAN IP address will be affected by the rule.
Address Range: A range of IP addresses on the DMZ network will be affected by the rule.
6.
Click
Apply
to save your settings.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top