PRG AV4202N

© (2007) Pirelli Broadband Solutions S.p.A. All Rights Reserved. Proprietary Use Pursuant to Cover Page Instructions.

Security Section

OGU 930500275-A1

69

PORT TRIGGERING

Port triggering can be used for dynamic port forwarding configuration. By setting

port triggering rules, you can allow inbound traffic to arrive at a specific LAN

host, using ports different than those used for the outbound traffic. This is called

port triggering since the outbound traffic triggers to which ports inbound traffic is

directed.

For example, consider a gaming server that is accessed using UDP protocol on

port 2222. The gaming server responds by connecting the user using UDP on

port 3333 when starting gaming sessions. In such a case you must use port

triggering, since this scenario conflicts with the following default firewall settings:



The firewall blocks inbound traffic by default.



The server replies to the Router's IP, and the connection is not sent back to

your host, since it is not part of a session.

In order to solve this you need to define a Port Triggering entry, which allows

inbound traffic on UDP port 3333, only after a LAN host generated traffic to

UDP port 2222. This will result in accepting the inbound traffic from the gaming

server, and sending it back to the LAN Host which originated the outgoing traffic

to UDP port 2222.

Select the 'Port Triggering' tab in the 'Security' management screen. The 'Port

Triggering' screen will appear.

FIGURE 5.

Port Triggering panel

WEB SITE RESTRICTIONS

You may configure the Router to block specific Internet web sites so that they

cannot be accessed from computers in the home network. Moreover, restric-

PRG AV4202N

© (2007) Pirelli Broadband Solutions S.p.A. All Rights Reserved. Proprietary Use Pursuant to Cover Page Instructions.

70

OGU 930500275-A1

Security Section

tions can be applied to a comprehensive and automatically updated table of

sites to which access is not recommended.

FIGURE 6.

Web Site Restrictions panel

To block access to a web site:

1.

Click the 'Web Site Restrictions' tab in the 'Security' management screen

2.

Click the 'New Entry' link. The 'Restricted Web Site' screen will appear

3.

Enter the web site address (IP address or URL) that you would like to make

inaccessible from your home network (all Web pages within the site will also

be blocked). If the web site address has multiple IP addresses, the Router

will resolve all additional addresses and automatically add them to the re-

strictions table.

4.

The Local Host combo-box provides you the ability to specify the computer

or group of computers for which you would like to apply the web site restric-

tion. You can select between any, a specific computer in your LAN, or 'User

Defined'. If you choose the 'User Defined' option, the 'Edit Network Object'

screen will appear. Specifying an address is done by creating a 'Network

Object'.

5.

The Schedule combo-box allows you to define the time period during which

this rule will take effect. By default, the rule will always be active. However,

you can configure scheduled rules by selecting 'User Defined'.

6.

Click 'OK' to save the settings.You will be returned to the previous screen

while the Router attempts to find the site. 'Resolving ...' will appear in the

Status column while the site is being located (the URL is 'resolved' into one

or more IP addresses).

NAT

PRG AV4202N

features a configurable Network Address Translation (NAT)

and Network Address Port Translation (NAPT) mechanism, allowing you to con-

trol the network addresses and ports of packets routed through your gateway.

When enabling multiple computers on your network to access the Internet using

PRG AV4202N

© (2007) Pirelli Broadband Solutions S.p.A. All Rights Reserved. Proprietary Use Pursuant to Cover Page Instructions.

Security Section

OGU 930500275-A1

71

a fixed number of public IP addresses, you can statically define which LAN IP

address will be translated to which NAT IP address and/or ports.

By default, the Router operates in NAPT routing mode. However, you can con-

trol your network translation by defining static NAT/NAPT rules. Such rules map

LAN computers to NAT IP addresses.

The NAT/NAPT mechanism is useful for managing Internet usage in your LAN,

or complying with various application demands. For example, you can assign

your primary LAN computer with a single NAT IP address, in order to assure its

permanent connection to the Internet. Another example is when an application

server with which you wish to connect, such as a security server, requires that

packets have a specific IP address - you can define a NAT rule for that address.

FIGURE 7.

NAT panel

CONNECTIONS

The connection list displays all the connections that are currently open on the

firewall, as well as various details and statistics. You can use this list to close

undesired connections by clicking their Remove action icons. The basic display

includes the name of the protocol, the different ports it uses, and the direction of

traffic secured.

Press the 'Advanced' button to display a more detailed connection list, which in-

cludes the connection's time-to-live, number of kilo-bytes and packets received

and transmitted, the device type and the routing mode.

PRG AV4202N

© (2007) Pirelli Broadband Solutions S.p.A. All Rights Reserved. Proprietary Use Pursuant to Cover Page Instructions.

72

OGU 930500275-A1

Security Section

Use the 'Connections Per Page' combo-box to select the number of connections

to display at once. The 'Approximate Max. Connections' value represents the

amount of additional concurrent connections possible.

FIGURE 8.

Connections panel

ADVANCED FILTERING

Advanced filtering is designed to allow comprehensive control over the Fire-

wall’s behavior. You can define specific input and output rules, control the order

of logically similar sets of rules and make a distinction between rules that apply

to WAN and LAN devices.

To view Router's advanced filtering options, click 'Advanced Filtering' under the

'Firewall' tab in the 'Services' screen. The 'Advanced Filtering' screen will ap-

pear.

This screen is divided into two identical sections, one for 'Input Rule Sets' and

the other for 'Output Rule Sets', which are for configuring inbound and outbound

traffic, respectively. Each section is comprised of subsets, which can be

grouped into three main subjects:



Initial rules - rules defined here will be applied first, on all gateway devices.



Network devices rules - rules can be defined per each gateway device.



Final rules - rules defined here will be applied last, on all gateway devices.

The order of the rules' appearance represents both the order in which they were

defined and the sequence by which they will be applied. You may change this

order after your rules are already defined (without having to delete and then re-

add them), by using the Move Up and Move Down action icons.

PRG AV4202N

© (2007) Pirelli Broadband Solutions S.p.A. All Rights Reserved. Proprietary Use Pursuant to Cover Page Instructions.

Security Section

OGU 930500275-A1

73

There are numerous rules automatically inserted by the firewall in order to pro-

vide improved security and block harmful attacks.

To add an advanced filtering rule, first choose the traffic direction and the de-

vice on which to set the rule. Then click the appropriate 'New Entry' link. The

'Add Advanced Filter' screen will appear: this screen is divided into two main

sections, 'Matching' and 'Operation', which are for defining the operation to be

executed when matching conditions apply.

FIGURE 9.

Advanced Filtering panel

SECURITY LOG

The Security Log displays a list of firewall-related events, including attempts to

establish inbound and outbound connections, attempts to authenticate through

an administrative interface (Web-based management or Telnet terminal), fire-

wall configuration and system start-up.

To view the security log, click the 'Security Log' tab in the 'Security' manage-

ment screen. The 'Security Log' screen will appear.