Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

6-8

Protecting Your Network

December 2003, M-10041-01

Figure 6-4:

Rule example: a

local public Web server

The parameters are:

•

Service — select the application or service to be allowed or blocked. The list already

displays many common services, but you are not limited to these choices. Use the Add

Services menu as seen in

Figure 6-3

to add any additional services or applications.

•

Action — choose how you would like this type of traffic to be handled. You can block or

allow always, or block according to the schedule you defined in the Schedule menu.

•

Send to LAN Server —

enter the IP address of the PC or Server on your LAN which

will receive the inbound traffic covered by this rule.

•

WAN Users — t

hese settings determine which packets are covered by the rule,

based on their source (WAN) IP address. Select the desired option:

•

Any - All IP addresses are covered by this rule.

•

Address range - enter the "Start" and "Finish" fields.

•

Single address - enter the required address in the "Start" fields.

•

Log — you can select whether the traffic will be logged. The choices are:

•

Never - no log entries will be made for this service.

•

Always - any traffic for this service type will be logged.

•

Match - traffic that matches the parameters and action will be logged.

•

Not match - traffic that does not match the parameters and action will be logged.

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Protecting Your Network

6-9

December 2003, M-10041-01

If you want to allow incoming videoconferencing to be initiated from a restricted range of outside

IP addresses, such as from a branch office, you can create an inbound rule. In the example shown

in

Figure 6-5

, CU-SeeMe connections are allowed only from a specified range of external IP

addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that

do not match the allowed parameters.

Figure 6-5:

Rule example: Videoconferencing from Restricted Addresses

Considerations for Inbound Rules

•

If your external IP address is assigned dynamically by your ISP, the IP address may change

periodically as the DHCP lease expires. Consider using the Dynamic DNS feature in the

Advanced menus so that external users can always find your network.

•

If the IP address of the local server is assigned by DHCP, it may change when the computer is

rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the

computer’s IP address constant.

•

Local computers must access the local server using the computers’ local LAN address

(192.168.0.11 in the example in

Figure 6-5

above). Attempts by local computers to access the

server using the external WAN IP address will fail.

Outbound Rule (Service Blocking) Example

The FVS328 allows you to block the use of certain Internet services by computers on your

network. This is called service blocking or port filtering. You can define an outbound rule to block

Internet access from a local computer based on:

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

6-10

Protecting Your Network

December 2003, M-10041-01

•

IP address of the local computer (source address)

•

IP address of the Internet site being contacted (destination address)

•

Time of day

•

Type of service being requested (service port number)

The following is an application example of outbound rules to block Instant Messenger use:

If you want to block Instant Messenger usage by employees during working hours, you can create

an outbound rule to block that application from any internal IP address to any external address,

according to the schedule that you have created in the Schedule menu. You can also have the

firewall log any attempt to use Instant Messenger during that blocked period.

Figure 6-6:

Rule example: blocking instant messenger

The parameters are:

•

Service — select the application or service to be allowed or blocked. The list already

displays many common services, but you are not limited to these choices. Use the Add

Services menu as seen in

Figure 6-3

to add any additional services or applications that do

not already appear.

•

Action — choose how you would like this type of traffic to be handled. You can block or

allow always, or you can choose to block or allow according to the schedule you have

defined in the Schedule menu.

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Protecting Your Network

6-11

December 2003, M-10041-01

•

LAN Users —

these settings determine which packets are covered by the rule, based

on their source LAN IP address. Select the desired option:

•

Any: All IP addresses are covered by this rule.

•

Address range: If this option is selected, you must enter the "Start" and "Finish" fields.

•

Single address: Enter the required address in the "Start" fields.

•

WAN Users —

these settings determine which packets are covered by the rule,

based on their destination WAN IP address. Select the desired option:

•

Any - All IP addresses are covered by this rule.

•

Address range - If this option is selected, you must enter the "Start" and "Finish"

fields.

•

Single address - Enter the required address in the "Start" fields.

•

Log — select whether the traffic will be logged. The choices are:

•

Never - No log entries will be made for this service.

•

Always - Any traffic for this service type will be logged.

•

Match - Traffic of this type which matches the parameters and action will be logged.

•

Not match - Traffic of this type which does not match the parameters and action will

be logged.

Understanding the Order of Precedence for Rules

As you define new rules, they are added to the tables in the Rules menu. For any traffic attempting

to pass through the firewall, the packet information is subjected to the rules in the order shown in

the Rules Table, beginning at the top and proceeding to the default rules at the bottom. In some

cases, the order of precedence of two or more rules may be important in determining the

disposition of a packet. The Move button allows you to relocate a defined rule to a new position in

the table.

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

6-12

Protecting Your Network

December 2003, M-10041-01

Regulating Access to Network Services

Services are functions performed by server computers at the request of client computers. For

example, Web servers serve Web pages, time servers serve time and date information, and game

hosts serve data about other players’ moves. When a computer on the Internet sends a request for

service to a server computer, the requested service is identified by a service or port number. This

number appears as the destination port number in the transmitted IP packets. For example, a packet

that is sent with destination port number 80 is an HTTP (Web server) request.

The service numbers for many common protocols are defined by the Internet Engineering Task

Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other

applications are typically chosen from the range 1024 to 65535 by the authors of the application.

For more information on this topic please see

Appendix C, “Networks, Routing, and Firewall

Basics

.

Although the FVS328 already holds a list of many service port numbers, you are not limited to

these choices. Use the procedure below to create your own service definitions.

How to Define Services

1.

Log in to the firewall at its default LAN address of

with its default User

Name of

admin

, default password of

password

, or using whatever password and LAN

address you have chosen for the firewall.

2.

Click the Services link of the Security menu to display the menu shown below.

Figure 6-7:

Services menu

•

To create a new service, click the Add Custom Service button.

•

When there is an existing service, to edit the service, select the it from the list in the table

and click Edit Service.