Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Protecting Your Network

6-3

December 2003, M-10041-01

Blocking Keywords, Sites, and Services

The firewall provides a variety of options for blocking Internet based content and communications

services. With its content filtering feature, the FVS328 Firewall prevents objectionable content

from reaching your computers. The FVS328 allows you to control access to Internet content by

screening for keywords within Web addresses. Key content filtering options include:

•

Blocking access from your LAN to Internet locations that you specify as off-limits.

•

Keyword blocking of newsgroup names.

•

Outbound services blocking to limit access from your LAN to Internet locations or services

that you specify as off-limits.

•

Denial of Service (DoS) protection. Automatically detects and thwarts (DoS) attacks such as

Ping of Death, SYN Flood, LAND Attack and IP Spoofing.

•

Blocks unwanted traffic from the Internet to your LAN.

The section below explains how to configure your

firewall to perform these functions.

How to Block Keywords and Sites

The FVS328 Firewall allows you to restrict access to Internet content based on functions such as

Java or Cookies, Web addresses and Web address keywords.

1.

Log in to the firewall at its default LAN address of

with its default User

Name of

admin

, default password of

password

, or using whatever password and LAN

address you have chosen for the firewall.

2.

Click the Block Sites link in the Security section of the main menu.

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

6-4

Protecting Your Network

December 2003, M-10041-01

Figure 6-2:

Block Sites menu

3.

To enable keyword blocking, check “Turn keyword blocking on”, enter a keyword or domain

in the Keyword box, click Add Keyword, then click Apply.

Some examples of Keyword blocking follow:

•

If the keyword “XXX” is specified, the URL <

> is

blocked, as is the newsgroup

alt.pictures.xxx

.

•

If the keyword “.com” is specified, only Web sites with other domain suffixes (such as

.edu or .gov) can be viewed.

•

If the keyword “.” is entered, all Internet browsing access will be blocked.

Up to 32 entries are supported in the Keyword list.

4.

To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply.

5.

To specify a Trusted User, enter that computers IP address in the Trusted User box and click

Apply.

You may specify one Trusted User, which is a computer that will be exempt from blocking and

logging. Since the Trusted User will be identified by an IP address, you should configure that

computer with a fixed IP address.

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Protecting Your Network

6-5

December 2003, M-10041-01

6.

Click Apply to save your settings.

Using Firewall Rules to Regulate Network Traffic

Firewall rules are used to block or allow specific traffic passing through from one side to the other.

Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing

only specific outside users to access specific resources. Outbound rules (LAN to WAN) determine

what outside resources local users can have access to.

A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of

the FVS328 are:

•

Inbound: Block all access from outside except responses to requests from the LAN side.

•

Outbound: Allow all access from the LAN side to the outside.

You may define additional rules that will specify exceptions to the default rules. By adding custom

rules, you can block or allow access based on the service or application, source or destination IP

addresses, and time of day. You can also choose to log traffic that matches or does not match the

rule you have defined.

To access the Rules configuration of the FVS328, click the Rules link on the main menu, then click

Add for either an Outbound or Inbound Service.

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

6-6

Protecting Your Network

December 2003, M-10041-01

Figure 6-3:

Rules menu

•

To edit an existing rule, select its button on the left side of the table and click Edit.

•

To delete an existing rule, select its button on the left side of the table and click Delete.

•

To move an existing rule to a different position in the table, select its button on the left side

of the table and click Move. At the script prompt, enter the number of the desired new

position and click OK.

Rules Menu Options

•

Enable VPN Passthrough (IPSec, PPTP, L2TP) — if LAN users need to use VPN (Virtual

Private Networking) software on their computer, and connect to remote sites or servers,

enable this check box. This will allow the VPN protocols (IPSec, PPTP, L2TP) to be used.

If this check box is not selected, these protocols are blocked.

•

Drop fragmented IP packets — if selected, all fragmented IP packets will be dropped

(discarded). Normally, this should NOT be selected.

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Protecting Your Network

6-7

December 2003, M-10041-01

•

Block TCP flood — if selected, then when a TCP flood attack is detected, the port used

will be closed, and no traffic will be able to use that port.

•

Block UDP flood — if selected, then when a UDP flood attack is detected, all traffic from

that IP address will be blocked.

•

Block non-standard packets — if selected, then only known packet types will be accepted;

other packets will be blocked. The known packet types are TCP, UDP, ICMP, ESP, and

GRE. Note that these are packet types, not protocols.

Examples of Using Inbound Rules (Port Forwarding)

The FVS328 uses Network Address Translation (NAT), unless this feature is turned off. Using

NAT, your network presents only one IP address to the Internet, and outside users cannot directly

address any of your local computers. However, by defining an inbound rule you can make a local

server (for example, a Web server or game server) visible and available to the Internet. The rule

tells the firewall to direct inbound traffic for a particular service to one local server based on the

destination port number. This is also known as port forwarding.

Remember that allowing inbound services opens holes in your firewall. Only enable those ports

that are necessary for your network. Two application examples of inbound rules follow:

•

If you host a public Web server on your local network, you can define a rule to allow inbound

Web (HTTP) requests from any outside IP address to the IP address of your Web server at any

time of day.

•

If you want to allow incoming videoconferencing to be initiated from a restricted range of

outside IP addresses, such as from a branch office, you can create an inbound rule.

These rules are shown below.

Note:

Your ISP may check for servers and suspend your account if it discovers active

services at your location. If you are unsure, refer to the ISP Acceptable Use Policy.