Page 46 / 212 Scroll up to view Page 41 - 45
Reference Manual for the ProSafe VPN Firewall FVS114
4-8
Firewall Protection and Content Filtering
202-10098-01, April 2005
Considerations for Inbound Rules
If your external IP address is assigned dynamically by your ISP, the IP address may change
periodically as the DHCP lease expires. Consider using the Dyamic DNS feature in the
Advanced menus so that external users can always find your network.
If the IP address of the local server PC is assigned by DHCP, it may change when the PC is
rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the
PC’s IP address constant.
Each local PC must access the local server using the PC’s local LAN address (192.168.0.99 in
this example). Attempts by local PCs to access the server using the external WAN IP address
will fail.
Outbound Rules (Service Blocking)
The FVS114 allows you to block the use of certain Internet services by PCs on your network. This
is called service blocking or port filtering. You can define an outbound rule to block Internet
access from a local PC based on:
IP address of the local PC (source address)
IP address of the Internet site being contacted (destination address)
Time of day
Type of service being requested (service port number)
Following is an application example of an outbound rule:
Page 47 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
Firewall Protection and Content Filtering
4-9
202-10098-01, April 2005
Outbound Rule Example: Blocking Instant Messenger
If you want to block Instant Messenger usage by employees during working hours, you can create
an outbound rule to block that application from any internal IP address to any external address
according to the schedule that you have created in the Schedule menu. You can also have the
firewall log any attempt to use Instant Messenger during that blocked period.
Figure 4-5:
Rule example: blocking Instant Messenger
Page 48 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
4-10
Firewall Protection and Content Filtering
202-10098-01, April 2005
Order of Precedence for Rules
As you define new rules, they are added to the tables in the Rules table, as shown below:
Figure 4-6:
Rules table
For any traffic attempting to pass through the firewall, the packet information is subjected to the
rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules
at the bottom. In some cases, the order of precedence of two or more rules may be important in
determining the disposition of a packet. The Move button allows you to relocate a defined rule to a
new position in the table.
Page 49 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
Firewall Protection and Content Filtering
4-11
202-10098-01, April 2005
Services
Services are functions performed by server computers at the request of client computers. For
example, Web servers serve Web pages, time servers serve time and date information, and game
hosts serve data about other players’ moves. When a computer on the Internet sends a request for
service to a server computer, the requested service is identified by a service or port number. This
number appears as the destination port number in the transmitted IP packets. For example, a packet
that is sent with destination port number 80 is an HTTP (Web server) request.
The service numbers for many common protocols are defined by the Internet Engineering Task
Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other
applications are typically chosen from the range 1024 to 65535 by the authors of the application.
Although the FVS114 already holds a list of many service port numbers, you are not limited to
these choices. Use the Services menu to add additional services and applications to the list for use
in defining firewall rules. The Services menu shows a list of services that you have defined, as
shown in
Figure 4-7
:
Figure 4-7:
Services menu
To define a new service, first you must determine which port number or range of numbers is used
by the application. This information can usually be determined by contacting the publisher of the
application or from user groups of newsgroups.
Page 50 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
4-12
Firewall Protection and Content Filtering
202-10098-01, April 2005
To add a service:
1.
When you have the port number information, go the Services menu and click on the
Add
Custom Service
button. The
Add Services
menu appears as shown in
Figure 4-8
:
Figure 4-8:
Add Custom Service menu
2.
Enter a descriptive name for the service so that you will remember what it is.
3.
Select whether the service uses TCP or UDP as its transport protocol.
If you can’t determine which is used, select both.
4.
Enter the lowest port number used by the service.
5.
Enter the highest port number used by the service.
If the service only uses a single port number, enter the same number in both fields.
6.
Click
Apply
.
The new service now appears in the Services menu, and in the Service name selection box in the
Rules menu.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top