Firewall Protection and Content Filtering

4-1

v1.0, March 2009

Chapter 4

Firewall Protection and Content Filtering

This chapter describes how to use the content filtering features of the ProSafe VPN Firewall 200 to

protect your network.

This chapter includes the following sections:

•

“About Firewall Protection and Content Filtering” on page 4-1

•

“Using Rules to Block or Allow Specific Kinds of Traffic” on page 4-2

•

“Setting a Schedule to Block or Allow Specific Traffic” on page 4-28

•

“Setting Block Sites (Content Filtering)” on page 4-29

•

“Enabling Source MAC Filtering” on page 4-31

•

“IP/MAC Binding” on page 4-33

•

“Port Triggering” on page 4-35

•

“Bandwidth Limiting” on page 4-37

•

“E-Mail Notifications of Event Logs and Alerts” on page 4-39

•

“Administrator Tips” on page 4-43

About Firewall Protection and Content Filtering

The ProSafe VPN Firewall 200 provides you with Web content filtering options, plus browsing

activity reporting and instant alerts via e-mail. Parents and network administrators can establish

restricted access policies based on time-of-day, Web addresses and Web address keywords. You

can also block Internet access by applications and services, such as chat or games.

A firewall is a special category of router that protects one network (the “trusted” network, such as

your LAN) from another (the untrusted network, such as the Internet), while allowing

communication between the two. You can further segment keyword blocking to certain known

groups (see

“Managing Groups and Hosts (LAN Groups)” on page 3-6

to set up LAN Groups).

A firewall incorporates the functions of a NAT (Network Address Translation) router, while

adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic

that can flow between the two networks. Unlike simple Internet sharing NAT routers, a firewall

uses a process called stateful packet inspection to protect your network from attacks and

ProSafe VPN Firewall 200 FVX538 Reference Manual

4-2

Firewall Protection and Content Filtering

v1.0, March 2009

intrusions. NAT performs a very limited stateful inspection in that it considers whether the

incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far

beyond NAT.

Using Rules to Block or Allow Specific Kinds of Traffic

Firewall rules are used to block or allow specific traffic passing through from one side to the other.

You can configure up to 600 rules on the FVX538. Inbound rules (WAN to LAN) restrict access by

outsiders to private resources, selectively allowing only specific outside users to access specific

resources. Outbound rules (LAN to WAN) determine what outside resources local users can have

access to.

A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of

the FVX538 are:

•

Inbound

: Block all access from outside except responses to requests from the LAN side.

•

Outbound

: Allow all access from the LAN side to the outside.

The firewall rules for blocking/allowing traffic on the VPN firewall can be applied to LAN/WAN

traffic, DMZ/WAN traffic and LAN/DMZ traffic.

Services-Based Rules

The rules to block traffic are based on the traffic’s category of service.

•

Outbound Rules (service blocking)

– Outbound traffic is normally allowed unless the

firewall is configured to disallow it.

•

Inbound Rules (port forwarding)

– Inbound traffic is normally blocked by the firewall

unless the traffic is in response to a request from the LAN side. The firewall can be configured

to allow this otherwise blocked traffic.

Table 4-1.

Supported FIrewall Rule Configurations

Traffic Rule

Outbound Rules

Inbound Rules

LAN WAN

50

50

DMZ WAN

50

50

LAN DMZ

50

50

ProSafe VPN Firewall 200 FVX538 Reference Manual

Firewall Protection and Content Filtering

4-3

v1.0, March 2009

•

Customized Services

– Additional services can be added to the list of services in the factory

default list. These added services can then have rules defined for them to either allow or block

that traffic (see

“Adding Customized Services” on page 4-25

.

•

Quality of Service (QoS) priorities

– Each service has its own native priority that impacts its

quality of performance and tolerance for jitter or delays. You can change the QoS priority

which will change the traffic mix through the system (see

“Setting Quality of Service (QoS)

Priorities” on page 4-27

).

Outbound Rules (Service Blocking)

The FVX538 allows you to block the use of certain Internet services by PCs on your network. This

is called service blocking or port filtering.

Note:

See

“Enabling Source MAC Filtering” on page 4-31

for yet another way to block

outbound traffic from selected PCs that would otherwise be allowed by the

firewall.

Table 4-2.

Outbound Rules

Item

Description

Service Name

Select the desired Service or application to be covered by this rule. If the desired

service or application does not appear in the list, you must define it using the

Services menu (see

“Adding Customized Services” on page 4-25

).

Action (Filter)

Select the desired action for outgoing connections covered by this rule:

•

BLOCK always

•

BLOCK by schedule, otherwise Allow

•

ALLOW always

•

ALLOW by schedule, otherwise Block

Note

: Any outbound traffic which is not blocked by rules you create will be allowed by

the Default rule.

ALLOW rules are only useful if the traffic is already covered by a BLOCK rule. That

is, you wish to allow a subset of traffic that is currently blocked by another rule.

Action (Select

Schedule)

Select the desired time schedule (i.e., Schedule1, Schedule2, or Schedule3) that will

be used by this rule.

•

This drop down menu gets activated only when “BLOCK by schedule, otherwise

Allow” or “ALLOW by schedule, otherwise Block” is selected as Action.

•

Use schedule page to configure the time schedules (see

“Setting a Schedule to

Block or Allow Specific Traffic” on page 4-28

).

ProSafe VPN Firewall 200 FVX538 Reference Manual

4-4

Firewall Protection and Content Filtering

v1.0, March 2009

LAN users

These settings determine which computers on your network are affected by this rule.

Select the desired options:

•

Any – All PCs and devices on your LAN.

•

Single address – Enter the required address and the rule will be applied to that

particular PC.

•

Address range – If this option is selected, you must enter the start and finish fields.

•

Groups – Select the Group to which this rule will apply. Use the LAN Groups screen

(under Network Configuration) to assign PCs to Groups. See

“Managing Groups

and Hosts (LAN Groups)” on page 3-6

.

WAN Users

These settings determine which Internet locations are covered by the rule, based on

their IP address. Select the desired option:

•

Any – All Internet IP address are covered by this rule.

•

Single address – Enter the required address in the start field.

•

Address range – If this option is selected, you must enter the start and end fields.

DMZ Users

These settings determine which DMZ computers on the DMZ network are affected by

this rule. Select the desired options.

•

Any – All PCs and devices on your DMZ network.

•

Single address – Enter the required address and the rule will be applied to that

particular PC on the DMZ network.

•

Address range – If this option is selected, you must enter the start and finish fields

of the DMZ computers.

Table 4-2.

Outbound Rules (continued)

Item

Description

ProSafe VPN Firewall 200 FVX538 Reference Manual

Firewall Protection and Content Filtering

4-5

v1.0, March 2009

QoS Priority

The priority assigned to IP packets of this service. The priorities are defined by “Type

of Service (TOS) in the Internet Protocol Suite” standards, RFC 1349. The router

marks the Type Of Service (TOS) field as defined below:

•

Normal-Service: No special priority given to the traffic. The IP packets for services

with this priority are marked with a TOS value of 0.

•

Minimize-Cost: Used when data must be transferred over a link that has a lower

cost. The IP packets for services with this priority are marked with a TOS value of 1.

•

Maximize-Reliability: Used when data needs to travel to the destination over a

reliable link and with little or no retransmission. The IP packets for services with this

priority are marked with a TOS value of 2.

•

Maximize-Throughput: Used when the volume of data transferred during an interval

is important even if the latency over the link is high. The IP packets for services with

this priority are marked with a TOS value of 4.

•

Minimize-Delay: Used when the time required (latency) for the packet to reach the

destination must be low. The IP packets for services with this priority are marked

with a TOS value of 8.

This setting determines the priority of a service which, in turn, determines the quality

of that service for the traffic passing through the firewall. By default, the priority

shown is that of the selected service. The user can change it accordingly. If the user

does not make a selection (i.e., leaves it as None), then the native priority of the

service will be applied to the policy. See

“Setting Quality of Service (QoS) Priorities”

on page 4-27

.

NAT IP

Specifies whether the source address of the outgoing packets on WAN should be

assigned WAN interface address OR different one.

•

NAT single IP is on: The Interface to which the NAT IP belongs to. All the outgoing

packets on WAN will be routed through the specified WAN interface only.

•

WAN Interface Address: All the outgoing packets on WAN will be assigned WAN

interface address.

•

Single Address: All the outgoing packets on WAN will be assigned the specified IP

address.

Note

: This option will be available only when WAN mode is NAT. The IP address

specified should fall under the WAN subnet.

Table 4-2.

Outbound Rules (continued)

Item

Description