Page 41 / 212 Scroll up to view Page 36 - 40
Reference Manual for the ProSafe VPN Firewall FVS114
Firewall Protection and Content Filtering
4-3
202-10098-01, April 2005
Turn Cookies filtering on: Block all cookies.
Note
: Many Web sites will not function correctly if these components are blocked.
Keyword Blocking
: To enable keyword blocking, check
Turn keyword blocking on
, then click
Apply
.
To add a keyword or domain, type it in the Keyword box, click
Add Keyword
, then click
Apply
.
To delete a keyword or domain, select it from the list, click
Delete Keyword
, then click
Apply
.
Keyword application examples:
If the keyword "XXX" is specified, the URL <http://www.badstuff.com/xxx.html> is blocked,
as is the newsgroup alt.pictures.XXX.
If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or
.gov) can be viewed.
If you wish to block all Internet browsing access, enter the keyword “.”.
Trusted User
: To specify a Trusted User, enter that PC’s IP address in the
Trusted User
box and
click
Apply
.
You may specify one Trusted User, which is a PC that will be exempt from blocking and
logging. Since the Trusted User will be identified by an IP address, you should configure that
PC with a fixed or reserved IP address.
Using Rules to Block or Allow Specific Kinds of Traffic
Firewall rules are used to block or allow specific traffic passing through from one side to the other.
Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing
only specific outside users to access specific resources. Outbound rules (LAN to WAN) determine
what outside resources local users can have access to.
A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of
the FVS114 are:
Inbound: Block all access from outside except responses to requests from the LAN side.
Outbound: Allow all access from the LAN side to the outside.
Page 42 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
4-4
Firewall Protection and Content Filtering
202-10098-01, April 2005
These default rules are shown in the Rules table of the Rules menu in
Figure 4-2
:
Figure 4-2:
Rules menu
You may define additional rules that specify exceptions to the default rules. By adding custom
rules, you can block or allow access based on the service or application, source or destination IP
addresses, and time of day. You can also choose to log traffic that matches or does not match the
rule you have defined.
To create a new rule, click the
Add
button.
To edit an existing rule, select its button on the left side of the table and click
Edit
.
To delete an existing rule, select its button on the left side of the table and click
Delete
.
To move an existing rule to a different position in the table, select its button on the left side of the
table and click
Move
. At the script prompt, enter the number of the desired new position and
click
OK
.
Page 43 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
Firewall Protection and Content Filtering
4-5
202-10098-01, April 2005
An example of the menu for defining or editing a rule is shown in
Figure 4-3
. The parameters are:
Service
. From this list, select the application or service to be allowed or blocked. The list
already displays many common services, but you are not limited to these choices. Use the
Services menu to add any additional services or applications that do not already appear.
Action
. Choose how you would like this type of traffic to be handled. You can block or allow
always, or you can choose to block or allow according to the schedule you have defined in the
Schedule menu.
Source Address
. Specify traffic originating on the LAN (outbound) or the WAN (inbound),
and choose whether you would like the traffic to be restricted by source IP address. You can
select Any, a Single address, or a Range. If you select a range of addresses, enter the range in
the start and finish boxes. If you select a single address, enter it in the start box.
Destination Address
.The Destination Address will be assumed to be from the opposite (LAN
or WAN) of the Source Address. As with the Source Address, you can select Any, a Single
address, or a Range unless NAT is enabled and the destination is the LAN. In that case, you
must enter a Single LAN address in the start box.
Log
. You can select whether the traffic will be logged. The choices are:
Never — no log entries will be made for this service.
Match — traffic of this type that matches the parameters and action will be logged.
Options
. These options determine how certain types of packets are handled by the Router.
Enable or disable each option as required.
Enable VPN Passthrough (IPSec, PPTP, L2TP) — The IPSec, PPTP, and L2TP protocols
are used to establish a secure connection, and are widely used by VPN (Virtual Private
Networking) programs. If this setting is disbled, PCs only your LAN will not be able to
use thes VPN programs.
Drop fragmented IP packets — If enabled, fragmented IP packets are discarded, forcing
re-transmission of these packets. In some situations, this could prevent successful
commnunication.
Block TCP flood — A TCP flood is excessively large number of TCP connection
requests. This is usually a DoS (Denial of Service) attack. This setting should be normally
be enabled.
Block UDP flood — A UDP flood is excessively large number of UDP packets. This is
usually a DoS (Denial of Service) attack. This setting should be normally be enabled.
Page 44 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
4-6
Firewall Protection and Content Filtering
202-10098-01, April 2005
Block non-standard packets — Abnormal packets are often used by hackers and in DoS
attacks, but may also be generated by other network devices. This setting should normally
be enabled.
Enable DNS proxy — DNS proxy will forward DNS queries to the DNS. If the DNS
proxy is disabled, the Router will ignore DNS queries it receives. PCs will then need to
contact the DNS directly. This setting should normally be enabled.
Inbound Rules (Port Forwarding)
Because the FVS114 uses Network Address Translation (NAT), your network presents only one IP
address to the Internet, and outside users cannot directly address any of your local computers.
However, by defining an inbound rule you can make a local server (for example, a Web server or
game server) visible and available to the Internet. The rule tells the firewall to direct inbound
traffic for a particular service to one local server based on the destination port number. This is also
known as port forwarding.
Remember that allowing inbound services opens holes in your FVS114 VPN Firewall. Only
enable those ports that are necessary for your network. Following are two application examples of
inbound rules:
Inbound Rule Example: A Local Public Web Server
If you host a public Web server on your local network, you can define a rule to allow inbound Web
(HTTP) requests from any outside IP address to the IP address of your Web server at any time of
day. This rule is shown in
Figure 4-3
:
Note:
Some residential broadband ISP accounts do not allow you to run any server
processes (such as a Web or FTP server) from your location. Your ISP may periodically
check for servers and may suspend your account if it discovers any active services at
your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.
Page 45 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
Firewall Protection and Content Filtering
4-7
202-10098-01, April 2005
Figure 4-3:
Rule example: a local public Web server
Inbound Rule Example: Allowing a Videoconference from Restricted Addresses
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside
IP addresses, such as from a branch office, you can create an inbound rule. In the example shown
in
Figure 4-4
, CU-SEEME connections are allowed only from a specified range of external IP
addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that
do not match the allowed parameters.
Figure 4-4:
Rule example: a videoconference from restricted addresses

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top