3G Broadband Wireless Router MBR624GU User Manual

Protecting Your Network

3-5

v1.1, March 2009

Firewall Rules

Firewall rules block or allow specific traffic passing through from one side of the router to the

other. Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively

allowing only specific outside users to access specific resources. Outbound rules (LAN to WAN)

determine what outside resources local users can have access to.

The default inbound and outbound rules of the

router

are:

•

Inbound

. Block all access from outside except responses to requests from the LAN side.

•

Outbound

. Allow all access from the LAN side to the outside.

You can define additional rules that will specify exceptions to the default rules. By adding custom

rules, you can block or allow access based on the service or application, source or destination IP

addresses, and time of day. You can also choose to log traffic that matches or does not match the

rule you have defined.

You can change the order of precedence of rules so that the rule that applies most often will take

effect first. See

“Order of Precedence for Rules”

for more details.

To view or change firewall rules, select Firewall Rules on the main menu.

•

To edit an existing rule, select its button on the left side of the table and click

Edit

.

•

To delete an existing rule, select its button on the left side of the table and click

Delete

.

•

To move a rule to a different position in the table, select its button, and then click

Move

. At the

prompt, enter the number of the desired new position, and then click

OK

.

Figure 3-3

3G Broadband Wireless Router MBR624GU User Manual

3-6

Protecting Your Network

v1.1, March 2009

Inbound Rules (Port Forwarding)

Because the

router

uses Network Address Translation (NAT), your network presents only one IP

address to the Internet, and outside users cannot directly access any of your local computers.

However, by defining an inbound rule you can make a local server (for example, a Web server or

game server) visible and available to the Internet. The rule tells the router to direct inbound traffic

for a particular service to one local server based on the destination port number. This is also known

as port forwarding.

Remember that allowing inbound services opens holes in your firewall. Enable only those ports

that are necessary for your network. Following are two application examples of inbound rules.

Inbound Rule Example: A Local Public Web Server

If you host a public Web server on your local network, you can define a rule to allow inbound Web

(HTTP) requests from outside IP addresses to the IP address of your Web server at any time of day.

This rule is shown in the following figure:

The settings are:

•

Service

. From this list, select the application or service to be allowed or blocked. The list

already displays many common services, but you are not limited to these choices. Use the

Services screen to add any additional services or applications that do not already appear.

Note:

Some broadband ISP accounts do not allow you to run any server processes (such

as a Web or FTP server) from your location. Your ISP might periodically check for

servers and might suspend your account if it discovers any active services at your

location. If you are unsure, see the acceptable use policy of your ISP.

Figure 3-4

3G Broadband Wireless Router MBR624GU User Manual

Protecting Your Network

3-7

v1.1, March 2009

•

Action

. Select when you want this type of traffic to be handled. You can block or allow

always, or you can choose to block or allow according to the schedule you have defined in the

Schedule screen.

•

Send to LAN Server

. Enter the IP address of the computer or server on your LAN which will

receive the inbound traffic covered by this rule.

•

WAN Users

. These settings determine which packets are covered by the rule, based on their

source (WAN) IP address. Select the option that you want:

–

Any

. All IP addresses are covered by this rule.

–

Address range

. If this option is selected, you must enter the

Start

and

Finish

fields.

–

Single address

. Enter the required address in the

Start

field.

•

Log

. You can select whether the traffic will be logged. The choices are:

–

Never

. No log entries will be made for this service.

–

Always

. Any traffic for this service type will be logged.

–

Match

. Traffic of this type that matches the rule will be logged.

–

Not match

. Traffic of this type that does not match the rule will be logged.

Inbound Rule Example: Allowing Videoconferencing

You can create an inbound rule to allow incoming videoconferencing to be initiated from a

restricted range of outside IP addresses, such as from a branch office. In this example, CU-SeeMe

connections are allowed only from a specified range of external IP addresses. This example also

specifies logging of any incoming CU-SeeMe requests that do not match the allowed parameters.

Figure 3-5

3G Broadband Wireless Router MBR624GU User Manual

3-8

Protecting Your Network

v1.1, March 2009

Considerations for Inbound Rules

If your external IP address is assigned dynamically by your ISP, the IP address might change

periodically as the DHCP lease expires. Consider using the Dynamic DNS feature so that external

users can always find your network.

If the IP address of the local server computer is assigned by DHCP, it might change when the

computer is rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to

keep the computer’s IP address constant.

Local computers must access the local server using the computer’s local LAN address

(192.168.0.11 in the previous example). Attempts by local computers to access the server using the

external WAN IP address will fail.

Outbound Rules (Service Blocking)

The router allows you to block the use of certain Internet services by computers on your network.

This is called service blocking or port filtering. You can define an outbound rule to block Internet

access from a local computer based on the following:

•

IP address of the local computer (source address)

•

IP address of the Internet site being contacted (destination address)

•

Time of day

•

Type of service being requested (service port number)

Outbound Rule Example: Blocking Instant Messenger

If you want to block Instant Messenger usage by employees during working hours, you can create

an outbound rule to block that application from any internal IP address to any external address

according to the schedule that you have created in the Schedule screen. You can also have the

router log any attempt to use Instant Messenger during that blocked period.

3G Broadband Wireless Router MBR624GU User Manual

Protecting Your Network

3-9

v1.1, March 2009

The following screen shows AIM selected in the

Service

list:

The Outbound Services screen includes the following fields:

•

Service

. Select the application or service from the drop-down list to be allowed or blocked.

You can use the Add Custom Service feature to add any additional services or applications that

are not in the list; see

“Defining Services”

for details.

•

Action

. Choose when you want this type of traffic to be handled. You can block or allow

always, or you can block or allow according to the schedule defined in the Schedule screen.

•

LAN users

. This setting determine which packets are covered by the rule, based on their

source LAN IP address. Select the desired option:

–

Any

. All IP addresses are covered by this rule.

–

Address range

. If this option is selected, you must fill in the

Start

and

Finish

fields.

–

Single address

. Enter the required address in the Start field.

•

WAN users

. This setting determines which packets are covered by the rule, based on their

destination WAN IP address. Select the option that you want:

–

Any

. All IP addresses are covered by this rule.

–

Address range

. If this option is selected, you must fill in the

Start

and

Finish

fields.

–

Single address

. Enter the required address in the

Start

field.

•

Log

. Select whether the traffic will be logged. The choices are:

–

Never

. No log entries will be made for this service.

–

Always

. Any traffic for this service type will be logged.

–

Match

. Traffic of this type that matches the rule will be logged.

–

Not match

. Traffic of this type that does not match the rule will be logged.

Figure 3-6