Chapter 3:

LAN Configuration

|

41

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

•

In Only

. The VPN firewall accepts RIP information from other routers, but does not

broadcast its routing table.

4.

From the

RIP Version

drop-down list, choose the version from the following options:

•

Disabled

. The default section disables RIP versions.

•

RIP-1

. A classful routing that does not include subnet information. This is the most

commonly supported version.

•

RIP-2

. Supports subnet information. Both RIP-2B and RIP-2M send the routing data

in RIP-2 format:

-

RIP-2B

. Sends the routing data in RIP-2 format and uses subnet broadcasting.

-

RIP-2M

. Sends the routing data in RIP-2 format and uses multicasting.

5.

Authentication for RIP2B/2M required?

If you selected RIP-2B or RIP-2M, check the

Yes

radio box to enable authentication, and enter the MD-5 keys to authenticate

between devices in the

First Key Parameters

and

Second Key Parameters

sections

on the screen.

6.

Click

Apply

to save your settings.

Chapter 4:

Firewall Protection and Content Filtering

|

42

Firewall Protection and Content Filtering

4

This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit

Firewall with SSL & IPsec VPN FVS336Gv2 to protect your network.

This chapter contains the following sections:

•

About Firewall Protection and Content Filtering

” on this page.

•

“Using Rules to Block or Allow Specific Kinds of Traffic”

on page 43.

•

“Configuring Other Firewall Features”

on page 54.

•

“Creating Services, QoS Profiles, and Bandwidth Profiles”

on page 57.

•

“Setting a Schedule to Block or Allow Specific Traffic”

on page 61.

•

“Blocking Internet Sites (Content Filtering)”

on page 62.

•

“Configuring Source MAC Filtering”

on page 64.

•

“Configuring IP/MAC Address Binding”

on page 65.

•

“Configuring Port Triggering”

on page 66.

•

“Managing the Application Level Gateway for SIP Sessions”

on page 56.

•

“E-Mail Notifications of Event Logs and Alerts”

on page 68.

•

“Administrator Tips”

on page 69.

About Firewall Protection and Content Filtering

The VPN firewall provides you with Web content filtering options, plus browsing activity

reporting and instant alerts via e-mail. Network administrators can establish restricted access

policies based on time-of-day, Web addresses and Web address keywords. You can also

block Internet access by applications and services, such as chat or games.

A firewall is a special category of router that protects one network (the “trusted” network, such

as your LAN) from another (the untrusted network, such as the Internet), while allowing

communication between the two. You can further segment keyword blocking to certain known

groups (see

“Managing Groups and Hosts (LAN Groups)”

on page 34 to set up LAN Groups).

Chapter 4:

Firewall Protection and Content Filtering

|

43

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

A firewall incorporates the functions of a NAT (Network Address Translation) router, while

adding features for dealing with a hacker intrusion or attack, and for controlling the types of

traffic that can flow between the two networks. Unlike simple Internet sharing NAT routers, a

firewall uses a process called stateful packet inspection to protect your network from attacks

and intrusions. NAT performs a very limited stateful inspection in that it considers whether the

incoming packet is in response to an outgoing request, but true Stateful Packet Inspection

goes far beyond NAT.

Using Rules to Block or Allow Specific Kinds of Traffic

This section includes the following topics:

•

“About Services-Based Rules”

on page 43.

•

“Viewing the Rules”

on page 48.

•

“Order of Precedence for Rules”

on page 48.

•

“Setting the Default Outbound Policy”

on page 48.

•

“Creating a LAN WAN Outbound Services Rule”

on page 49.

•

“Creating a LAN WAN Inbound Services Rule”

on page 49.

•

“Modifying Rules”

on page 50.

•

“Inbound Rules Examples”

on page 51.

•

“Outbound Rules Example”

on page 53.

Firewall rules are used to block or allow specific traffic passing through from one side to the

other. Inbound rules (WAN to LAN) restrict access by outsiders to private resources,

selectively allowing only specific outside users to access specific resources. Outbound rules

(LAN to WAN) determine what outside resources local users can have access to.

A firewall has two default rules, one for inbound traffic and one for outbound traffic. The

default rules of the VPN firewall are:

•

Inbound

. Block all access from outside except responses to requests from the LAN side.

•

Outbound

. Allow all access from the LAN side to the outside.

User-defined firewall rules for blocking or allowing traffic on the VPN firewall can be applied

to inbound or outbound traffic.

About Services-Based Rules

The rules to block traffic are based on the traffic’s category of service.

•

Outbound Rules (service blocking)

. Outbound traffic is normally allowed unless the

VPN firewall is configured to disallow it.

•

Inbound Rules (port forwarding)

. Inbound traffic is normally blocked by the VPN

firewall unless the traffic is in response to a request from the LAN side. The VPN firewall

can be configured to allow this otherwise blocked traffic.

44

|

Chapter 4:

Firewall Protection and Content Filtering

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

•

Customized Services

. Additional services can be added to the list of services in the

factory default list. These added services can then have rules defined for them to either

allow or block that traffic (see

“Adding Customized Services”

on page 57).

•

Quality of Service (QoS) priorities

. Each service at its own native priority that impacts

its quality of performance and tolerance for jitter or delays. You can change this QoS

priority if desired to change the traffic mix through the system (see

“Setting Quality of

Service (QoS) Priorities”

on page 58).

Outbound Rules (Service Blocking)

The VPN firewall allows you to block the use of certain Internet services by PCs on your

network. This is called service blocking or port filtering.

The default policy can be changed to block all outbound traffic and enable only specific

services to pass through the VPN firewall. The following

Outbound Rules

table lists the

configured rules for outgoing traffic. An outbound rule is defined by the fields shown in the

following table.

Table 4-3.

Outbound Rules

Item

Description

Service

Select the desired service or application to be covered by this rule. If the desired

service or application does not appear in the table, you must define it using the

Services screen (see “Adding Customized Services” on page 57).

Action

Select the desired action for outgoing connections covered by this rule:

•

BLOCK always

•

BLOCK by schedule, otherwise Allow

•

ALLOW always

•

ALLOW by schedule, otherwise Block

Note

: Any outbound traffic that is not blocked by rules you create will be allowed by

the default rule.

ALLOW rules are only useful if the traffic is already covered by a BLOCK rule. That

is, you wish to allow a subset of traffic that is currently blocked by another rule.

Select Schedule

Select the desired time schedule (Schedule1, Schedule2, or Schedule3) that will be

used by this rule.

•

This drop-down list gets activated only when “BLOCK by schedule, otherwise

Allow” or “ALLOW by schedule, otherwise Block” is selected as Action.

•

Use schedule screen to configure the time schedules (see

“Setting a Schedule to

Block or Allow Specific Traffic”

on page 61).

LAN Users

Specifies which computers on your network are affected by this rule. Select the

desired options:

•

Any – All PCs and devices on your LAN.

•

Single address – Enter the required address and the rule will be applied to that

particular PC.

•

Address range – If this option is selected, you must enter the start and finish

fields.

•

Groups – Select the Group to which this rule will apply. Use the LAN Groups

screen (under Network Configuration) to assign PCs to Groups. See

“Managing

Groups and Hosts (LAN Groups)”

on page 34.

Chapter 4:

Firewall Protection and Content Filtering

|

45

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

Note:

See

“Configuring Source MAC Filtering”

on page 64 for yet another

way to block outbound traffic from selected PCs that would

otherwise be allowed by the VPN firewall

.

Inbound Rules (Port Forwarding)

When the VPN firewall uses Network Address Translation (NAT), your network presents only

one IP address to the Internet and outside users cannot directly address any of your local

computers. However, by defining an inbound rule you can make a local server (for example,

a Web server or game server) visible and available to the Internet. The rule tells the VPN

firewall to direct inbound traffic for a particular service to one local server based on the

destination port number. This is also known as port forwarding.

Whether or not DHCP is enabled, how the PCs will access the server’s LAN address impacts

the inbound rules. For example:

•

If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP

address may change periodically as the DHCP lease expires. Consider using dynamic

WAN Users

Specifies which Internet locations are covered by the rule, based on their IP address.

Select the desired option:

•

Any – All Internet IP address are covered by this rule.

•

Single address – Enter the required address in the start field.

•

Address range – If this option is selected, you must enter the start and end fields.

QoS Priority

Specifies the priority of a service which, in turn, determines the quality of that service

for the traffic passing through the VPN firewall. By default, the priority shown is that of

the selected service. The user can change it accordingly. If the user does not make a

selection (leaves it as Normal-Service), then the native priority of the service will be

applied to the policy. See

“Setting Quality of Service (QoS) Priorities”

on page 58.

Log

This determines whether packets covered by this rule are logged. Select the desired

action:

•

Always – always log traffic considered by this rule, whether it matches or not.

This is useful when debugging your rules.

•

Never – never log traffic considered by this rule, whether it matches or not.

Bandwidth Profile

Specifies the name of a bandwidth limiting profile. Using a bandwidth profile,

bandwidth consumed by different connections can be limited. If multiple connections

correspond to the same firewall rule, they will share the same bandwidth limiting. See

“Creating Bandwidth Profiles”

on page 59.

NAT IP

Specifies whether the source IP address of the outgoing packets should be the WAN

interface address or a specified address, which should belong to the WAN subnet.

NAT Single IP Is On

(interface)

Specifies to which WAN interface the NAT IP address belongs. All outgoing packets

will be routed through the specified WAN interface only.

Table 4-3.

Outbound Rules (Continued)

Item

Description