Reference Manual for the ProSafe VPN Firewall FVS114

4-8

Firewall Protection and Content Filtering

202-10098-01, April 2005

Considerations for Inbound Rules

•

If your external IP address is assigned dynamically by your ISP, the IP address may change

periodically as the DHCP lease expires. Consider using the Dyamic DNS feature in the

Advanced menus so that external users can always find your network.

•

If the IP address of the local server PC is assigned by DHCP, it may change when the PC is

rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the

PC’s IP address constant.

•

Each local PC must access the local server using the PC’s local LAN address (192.168.0.99 in

this example). Attempts by local PCs to access the server using the external WAN IP address

will fail.

Outbound Rules (Service Blocking)

The FVS114 allows you to block the use of certain Internet services by PCs on your network. This

is called service blocking or port filtering. You can define an outbound rule to block Internet

access from a local PC based on:

•

IP address of the local PC (source address)

•

IP address of the Internet site being contacted (destination address)

•

Time of day

•

Type of service being requested (service port number)

Following is an application example of an outbound rule:

Reference Manual for the ProSafe VPN Firewall FVS114

Firewall Protection and Content Filtering

4-9

202-10098-01, April 2005

Outbound Rule Example: Blocking Instant Messenger

If you want to block Instant Messenger usage by employees during working hours, you can create

an outbound rule to block that application from any internal IP address to any external address

according to the schedule that you have created in the Schedule menu. You can also have the

firewall log any attempt to use Instant Messenger during that blocked period.

Figure 4-5:

Rule example: blocking Instant Messenger

Reference Manual for the ProSafe VPN Firewall FVS114

4-10

Firewall Protection and Content Filtering

202-10098-01, April 2005

Order of Precedence for Rules

As you define new rules, they are added to the tables in the Rules table, as shown below:

Figure 4-6:

Rules table

For any traffic attempting to pass through the firewall, the packet information is subjected to the

rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules

at the bottom. In some cases, the order of precedence of two or more rules may be important in

determining the disposition of a packet. The Move button allows you to relocate a defined rule to a

new position in the table.

Reference Manual for the ProSafe VPN Firewall FVS114

Firewall Protection and Content Filtering

4-11

202-10098-01, April 2005

Services

Services are functions performed by server computers at the request of client computers. For

example, Web servers serve Web pages, time servers serve time and date information, and game

hosts serve data about other players’ moves. When a computer on the Internet sends a request for

service to a server computer, the requested service is identified by a service or port number. This

number appears as the destination port number in the transmitted IP packets. For example, a packet

that is sent with destination port number 80 is an HTTP (Web server) request.

The service numbers for many common protocols are defined by the Internet Engineering Task

Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other

applications are typically chosen from the range 1024 to 65535 by the authors of the application.

Although the FVS114 already holds a list of many service port numbers, you are not limited to

these choices. Use the Services menu to add additional services and applications to the list for use

in defining firewall rules. The Services menu shows a list of services that you have defined, as

shown in

Figure 4-7

:

Figure 4-7:

Services menu

To define a new service, first you must determine which port number or range of numbers is used

by the application. This information can usually be determined by contacting the publisher of the

application or from user groups of newsgroups.

Reference Manual for the ProSafe VPN Firewall FVS114

4-12

Firewall Protection and Content Filtering

202-10098-01, April 2005

To add a service:

1.

When you have the port number information, go the Services menu and click on the

Add

Custom Service

button. The

Add Services

menu appears as shown in

Figure 4-8

:

Figure 4-8:

Add Custom Service menu

2.

Enter a descriptive name for the service so that you will remember what it is.

3.

Select whether the service uses TCP or UDP as its transport protocol.

If you can’t determine which is used, select both.

4.

Enter the lowest port number used by the service.

5.

Enter the highest port number used by the service.

If the service only uses a single port number, enter the same number in both fields.

6.

Click

Apply

.

The new service now appears in the Services menu, and in the Service name selection box in the

Rules menu.