Page 56 / 234 Scroll up to view Page 51 - 55
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
5-6
Protecting Your Network
May 2004, 202-10030-02
You can define additional rules that will specify exceptions to the default rules. By adding custom
rules, you can block or allow access based on the service or application, source or destination IP
addresses, and time of day. You can also choose to log traffic that matches or does not match the
rule you have defined.
To create a new rule, click the Add button.
To edit an existing rule, select its button on the left side of the table and click Edit.
To delete an existing rule, select its button on the left side of the table and click Delete.
To move an existing rule to a different position in the table, select its button on the left side of the
table and click Move. At the script prompt, enter the number of the desired new position and click
OK.
An example of the menu for defining or editing a rule is shown in
Figure 5-2
. The parameters are:
Service. From this list, select the application or service to be allowed or blocked. The list
already displays many common services, but you are not limited to these choices. Use the
Services menu to add any additional services or applications that do not already appear.
Action. Choose how you would like this type of traffic to be handled. You can block or allow
always, or you can choose to block or allow according to the schedule you have defined in the
Schedule menu.
Source Address. Specify traffic originating on the LAN (outbound) or the WAN (inbound),
and choose whether you would like the traffic to be restricted by source IP address. You can
select Any, a Single address, or a Range. If you select a range of addresses, enter the range in
the start and finish boxes. If you select a single address, enter it in the start box.
Destination Address.The Destination Address will be assumed to be from the opposite (LAN
or WAN) of the Source Address. As with the Source Address, you can select Any, a Single
address, or a Range unless NAT is enabled and the destination is the LAN. In that case, you
must enter a Single LAN address in the start box.
Log. You can select whether the traffic will be logged. The choices are:
Never - no log entries will be made for this service.
Match - traffic of this type which matches the parameters and action will be logged.
Page 57 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Protecting Your Network
5-7
May 2004, 202-10030-02
Examples of Using Services and Rules to Regulate Traffic
Use the examples to see how you combine Services and Rules to regulate how the TCP/IP
protocols are used on your firewall to enable either blocking or allowing specific Internet traffic on
your firewall.
Inbound Rules (Port Forwarding)
Because the FVL328 uses Network Address Translation (NAT), your network presents only one IP
address to the Internet, and outside users cannot directly address any of your local computers.
However, by defining an inbound rule, also known as port forwarding, you can make a local server
(for example, a Web server or game server) visible and available to the Internet. The rule tells the
router to direct inbound traffic for a particular service to one local server based on the destination
port number. This is also known as port forwarding.
Follow these guidelines when setting up port forwarding inbound rules:
If your external IP address is assigned dynamically by your ISP, the IP address may change
periodically as the DHCP lease expires. Consider using the Dynamic DNS feature in the
Advanced menus so that external users can always find your network.
If the IP address of the local server computer is assigned by DHCP, it may change when the
computer is rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu
to keep the computer’s IP address constant.
Local computers must access the local server using the local LAN address of the computer.
Attempts by local computers to access the server using the external WAN IP address will fail.
Remember that allowing inbound services opens holes in your FVL328 Firewall. Only enable
those ports that are necessary for your network. Following are two application examples of
inbound rules:
Note:
Some home broadband accounts do not allow you to run any server processes
(such as a Web or FTP server). Your ISP may check for servers and suspend your
account if it discovers active servers at your location. If you are unsure, refer to the
Acceptable Use Policy of your ISP.
Page 58 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
5-8
Protecting Your Network
May 2004, 202-10030-02
Example: Port Forwarding to a Local Public Web Server
If you host a public Web server on your local network, you can define a rule to allow inbound Web
(HTTP) requests from any outside IP address to the IP address of your Web server any time of day.
Figure 5-3:
Rule example:
A Local Public Web Server
This rule is shown in
Figure 5-3
.
Example: Port Forwarding for Videoconferencing
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside
IP addresses, such as from a branch office, you can create an inbound rule. In the example shown
in
Figure 5-4
, CU-SeeMe is a predefined service and its connections are allowed only from a
specified range of external IP addresses. In this case, we have also specified logging of any
incoming CU-SeeMe requests that do not match the allowed parameters.
Page 59 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Protecting Your Network
5-9
May 2004, 202-10030-02
Figure 5-4:
Rule example: Videoconference from Restricted Addresses
Example: Port Forwarding for VPN Tunnels when NAT is Off
If you want to allow incoming VPN IPSec tunnels to be initiated from outside IP addresses
anywhere on the Internet when NAT is off, first create a service and then an inbound rule.
Figure 5-5:
Service example: port forwarding for VPN when NAT is Off
In the example shown in
Figure 5-5
, UDP port 500 connections are defined as the IPSec service.
Page 60 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
5-10
Protecting Your Network
May 2004, 202-10030-02
Figure 5-6:
Inbound rule example:
VPN IPSec when NAT is off
In the example shown in
Figure 5-6
, VPN IPSec connections are allowed for any internal LAN IP
address.
Outbound Rules (Service Blocking or Port Filtering)
The FVL328 allows you to block the use of certain Internet services by computers on your
network. This is called service blocking or port filtering. You can define an outbound rule to block
Internet access from a local computer based on:
IP address of the local computer (source address)
IP address of the Internet site being contacted (destination address)
Time of day
Type of service being requested (service port number)
Outbound Rule Example: Blocking Instant Messaging
If you want to block Instant Messenger usage by employees during working hours, you can create
an outbound rule to block that application from any internal IP address to any external address
according to the schedule that you have created in the Schedule menu. You can also have the router
log any attempt to use Instant Messenger during that blocked period.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top