Reference Manual for the ProSafe VPN Firewall FVS114

Firewall Protection and Content Filtering

4-3

202-10098-01, April 2005

•

Turn Cookies filtering on: Block all cookies.

Note

: Many Web sites will not function correctly if these components are blocked.

Keyword Blocking

: To enable keyword blocking, check

Turn keyword blocking on

, then click

Apply

.

•

To add a keyword or domain, type it in the Keyword box, click

Add Keyword

, then click

Apply

.

•

To delete a keyword or domain, select it from the list, click

Delete Keyword

, then click

Apply

.

Keyword application examples:

•

If the keyword "XXX" is specified, the URL <http://www.badstuff.com/xxx.html> is blocked,

as is the newsgroup alt.pictures.XXX.

•

If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or

.gov) can be viewed.

•

If you wish to block all Internet browsing access, enter the keyword “.”.

Trusted User

: To specify a Trusted User, enter that PC’s IP address in the

Trusted User

box and

click

Apply

.

You may specify one Trusted User, which is a PC that will be exempt from blocking and

logging. Since the Trusted User will be identified by an IP address, you should configure that

PC with a fixed or reserved IP address.

Using Rules to Block or Allow Specific Kinds of Traffic

Firewall rules are used to block or allow specific traffic passing through from one side to the other.

Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing

only specific outside users to access specific resources. Outbound rules (LAN to WAN) determine

what outside resources local users can have access to.

A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of

the FVS114 are:

•

Inbound: Block all access from outside except responses to requests from the LAN side.

•

Outbound: Allow all access from the LAN side to the outside.

Reference Manual for the ProSafe VPN Firewall FVS114

4-4

Firewall Protection and Content Filtering

202-10098-01, April 2005

These default rules are shown in the Rules table of the Rules menu in

Figure 4-2

:

Figure 4-2:

Rules menu

You may define additional rules that specify exceptions to the default rules. By adding custom

rules, you can block or allow access based on the service or application, source or destination IP

addresses, and time of day. You can also choose to log traffic that matches or does not match the

rule you have defined.

To create a new rule, click the

Add

button.

To edit an existing rule, select its button on the left side of the table and click

Edit

.

To delete an existing rule, select its button on the left side of the table and click

Delete

.

To move an existing rule to a different position in the table, select its button on the left side of the

table and click

Move

. At the script prompt, enter the number of the desired new position and

click

OK

.

Reference Manual for the ProSafe VPN Firewall FVS114

Firewall Protection and Content Filtering

4-5

202-10098-01, April 2005

An example of the menu for defining or editing a rule is shown in

Figure 4-3

. The parameters are:

•

Service

. From this list, select the application or service to be allowed or blocked. The list

already displays many common services, but you are not limited to these choices. Use the

Services menu to add any additional services or applications that do not already appear.

•

Action

. Choose how you would like this type of traffic to be handled. You can block or allow

always, or you can choose to block or allow according to the schedule you have defined in the

Schedule menu.

•

Source Address

. Specify traffic originating on the LAN (outbound) or the WAN (inbound),

and choose whether you would like the traffic to be restricted by source IP address. You can

select Any, a Single address, or a Range. If you select a range of addresses, enter the range in

the start and finish boxes. If you select a single address, enter it in the start box.

•

Destination Address

.The Destination Address will be assumed to be from the opposite (LAN

or WAN) of the Source Address. As with the Source Address, you can select Any, a Single

address, or a Range unless NAT is enabled and the destination is the LAN. In that case, you

must enter a Single LAN address in the start box.

•

Log

. You can select whether the traffic will be logged. The choices are:

–

Never — no log entries will be made for this service.

–

Match — traffic of this type that matches the parameters and action will be logged.

•

Options

. These options determine how certain types of packets are handled by the Router.

Enable or disable each option as required.

–

Enable VPN Passthrough (IPSec, PPTP, L2TP) — The IPSec, PPTP, and L2TP protocols

are used to establish a secure connection, and are widely used by VPN (Virtual Private

Networking) programs. If this setting is disbled, PCs only your LAN will not be able to

use thes VPN programs.

–

Drop fragmented IP packets — If enabled, fragmented IP packets are discarded, forcing

re-transmission of these packets. In some situations, this could prevent successful

commnunication.

–

Block TCP flood — A TCP flood is excessively large number of TCP connection

requests. This is usually a DoS (Denial of Service) attack. This setting should be normally

be enabled.

–

Block UDP flood — A UDP flood is excessively large number of UDP packets. This is

usually a DoS (Denial of Service) attack. This setting should be normally be enabled.

Reference Manual for the ProSafe VPN Firewall FVS114

4-6

Firewall Protection and Content Filtering

202-10098-01, April 2005

–

Block non-standard packets — Abnormal packets are often used by hackers and in DoS

attacks, but may also be generated by other network devices. This setting should normally

be enabled.

–

Enable DNS proxy — DNS proxy will forward DNS queries to the DNS. If the DNS

proxy is disabled, the Router will ignore DNS queries it receives. PCs will then need to

contact the DNS directly. This setting should normally be enabled.

Inbound Rules (Port Forwarding)

Because the FVS114 uses Network Address Translation (NAT), your network presents only one IP

address to the Internet, and outside users cannot directly address any of your local computers.

However, by defining an inbound rule you can make a local server (for example, a Web server or

game server) visible and available to the Internet. The rule tells the firewall to direct inbound

traffic for a particular service to one local server based on the destination port number. This is also

known as port forwarding.

Remember that allowing inbound services opens holes in your FVS114 VPN Firewall. Only

enable those ports that are necessary for your network. Following are two application examples of

inbound rules:

Inbound Rule Example: A Local Public Web Server

If you host a public Web server on your local network, you can define a rule to allow inbound Web

(HTTP) requests from any outside IP address to the IP address of your Web server at any time of

day. This rule is shown in

Figure 4-3

:

Note:

Some residential broadband ISP accounts do not allow you to run any server

processes (such as a Web or FTP server) from your location. Your ISP may periodically

check for servers and may suspend your account if it discovers any active services at

your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.

Reference Manual for the ProSafe VPN Firewall FVS114

Firewall Protection and Content Filtering

4-7

202-10098-01, April 2005

Figure 4-3:

Rule example: a local public Web server

Inbound Rule Example: Allowing a Videoconference from Restricted Addresses

If you want to allow incoming videoconferencing to be initiated from a restricted range of outside

IP addresses, such as from a branch office, you can create an inbound rule. In the example shown

in

Figure 4-4

, CU-SEEME connections are allowed only from a specified range of external IP

addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that

do not match the allowed parameters.

Figure 4-4:

Rule example: a videoconference from restricted addresses