Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

5-6

Protecting Your Network

May 2004, 202-10030-02

You can define additional rules that will specify exceptions to the default rules. By adding custom

rules, you can block or allow access based on the service or application, source or destination IP

addresses, and time of day. You can also choose to log traffic that matches or does not match the

rule you have defined.

To create a new rule, click the Add button.

To edit an existing rule, select its button on the left side of the table and click Edit.

To delete an existing rule, select its button on the left side of the table and click Delete.

To move an existing rule to a different position in the table, select its button on the left side of the

table and click Move. At the script prompt, enter the number of the desired new position and click

OK.

An example of the menu for defining or editing a rule is shown in

Figure 5-2

. The parameters are:

•

Service. From this list, select the application or service to be allowed or blocked. The list

already displays many common services, but you are not limited to these choices. Use the

Services menu to add any additional services or applications that do not already appear.

•

Action. Choose how you would like this type of traffic to be handled. You can block or allow

always, or you can choose to block or allow according to the schedule you have defined in the

Schedule menu.

•

Source Address. Specify traffic originating on the LAN (outbound) or the WAN (inbound),

and choose whether you would like the traffic to be restricted by source IP address. You can

select Any, a Single address, or a Range. If you select a range of addresses, enter the range in

the start and finish boxes. If you select a single address, enter it in the start box.

•

Destination Address.The Destination Address will be assumed to be from the opposite (LAN

or WAN) of the Source Address. As with the Source Address, you can select Any, a Single

address, or a Range unless NAT is enabled and the destination is the LAN. In that case, you

must enter a Single LAN address in the start box.

•

Log. You can select whether the traffic will be logged. The choices are:

–

Never - no log entries will be made for this service.

–

Match - traffic of this type which matches the parameters and action will be logged.

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

Protecting Your Network

5-7

May 2004, 202-10030-02

Examples of Using Services and Rules to Regulate Traffic

Use the examples to see how you combine Services and Rules to regulate how the TCP/IP

protocols are used on your firewall to enable either blocking or allowing specific Internet traffic on

your firewall.

Inbound Rules (Port Forwarding)

Because the FVL328 uses Network Address Translation (NAT), your network presents only one IP

address to the Internet, and outside users cannot directly address any of your local computers.

However, by defining an inbound rule, also known as port forwarding, you can make a local server

(for example, a Web server or game server) visible and available to the Internet. The rule tells the

router to direct inbound traffic for a particular service to one local server based on the destination

port number. This is also known as port forwarding.

Follow these guidelines when setting up port forwarding inbound rules:

•

If your external IP address is assigned dynamically by your ISP, the IP address may change

periodically as the DHCP lease expires. Consider using the Dynamic DNS feature in the

Advanced menus so that external users can always find your network.

•

If the IP address of the local server computer is assigned by DHCP, it may change when the

computer is rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu

to keep the computer’s IP address constant.

•

Local computers must access the local server using the local LAN address of the computer.

Attempts by local computers to access the server using the external WAN IP address will fail.

Remember that allowing inbound services opens holes in your FVL328 Firewall. Only enable

those ports that are necessary for your network. Following are two application examples of

inbound rules:

Note:

Some home broadband accounts do not allow you to run any server processes

(such as a Web or FTP server). Your ISP may check for servers and suspend your

account if it discovers active servers at your location. If you are unsure, refer to the

Acceptable Use Policy of your ISP.

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

5-8

Protecting Your Network

May 2004, 202-10030-02

Example: Port Forwarding to a Local Public Web Server

If you host a public Web server on your local network, you can define a rule to allow inbound Web

(HTTP) requests from any outside IP address to the IP address of your Web server any time of day.

Figure 5-3:

Rule example:

A Local Public Web Server

This rule is shown in

Figure 5-3

.

Example: Port Forwarding for Videoconferencing

If you want to allow incoming videoconferencing to be initiated from a restricted range of outside

IP addresses, such as from a branch office, you can create an inbound rule. In the example shown

in

Figure 5-4

, CU-SeeMe is a predefined service and its connections are allowed only from a

specified range of external IP addresses. In this case, we have also specified logging of any

incoming CU-SeeMe requests that do not match the allowed parameters.

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

Protecting Your Network

5-9

May 2004, 202-10030-02

Figure 5-4:

Rule example: Videoconference from Restricted Addresses

Example: Port Forwarding for VPN Tunnels when NAT is Off

If you want to allow incoming VPN IPSec tunnels to be initiated from outside IP addresses

anywhere on the Internet when NAT is off, first create a service and then an inbound rule.

Figure 5-5:

Service example: port forwarding for VPN when NAT is Off

In the example shown in

Figure 5-5

, UDP port 500 connections are defined as the IPSec service.

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

5-10

Protecting Your Network

May 2004, 202-10030-02

Figure 5-6:

Inbound rule example:

VPN IPSec when NAT is off

In the example shown in

Figure 5-6

, VPN IPSec connections are allowed for any internal LAN IP

address.

Outbound Rules (Service Blocking or Port Filtering)

The FVL328 allows you to block the use of certain Internet services by computers on your

network. This is called service blocking or port filtering. You can define an outbound rule to block

Internet access from a local computer based on:

•

IP address of the local computer (source address)

•

IP address of the Internet site being contacted (destination address)

•

Time of day

•

Type of service being requested (service port number)

Outbound Rule Example: Blocking Instant Messaging

If you want to block Instant Messenger usage by employees during working hours, you can create

an outbound rule to block that application from any internal IP address to any external address

according to the schedule that you have created in the Schedule menu. You can also have the router

log any attempt to use Instant Messenger during that blocked period.