Router User’s Guide

Monitoring Network Health

Level

The firewall contained within the Router may be configured to operate in one of several modes, referred

to as levels. For ease of use, three generic levels are preconfigured – Low, Medium and High. A separate

level, ICSA 3.0a Compliant, is provided for those users who require compliance with the criteria set forth

by ICSA Labs for firewall behavior. (Please refer to Appendix D, “Firewall Security Levels,” in the User

Guide on CD-ROM for a detailed description of these preconfigured levels.)

In addition to the preconfigured levels, a Custom level is provided for advanced users who require the

capability to define a unique custom set of firewall rules. To specify the firewall security level:

1. Select

Setup>Firewall>Level

from the left navigation pane of the Web interface. This displays the

“Firewall Level Configuration” window.

2.

Select one of the following from the

Select Firewall Level

drop-down menu.

•

Off

No restrictions are applied to either inbound or outbound traffic. In addition, Network Address Port

Translation (NAPT) functionality is disabled. Because there is no address/port translation when

the firewall is placed in this mode, all LAN-side connected hosts must be assigned a valid public

IP address.

•

Low

Minimal restrictions with respect to outbound traffic. Outbound traffic is allowed for all supported

IP-based applications and Application Level Routers (ALGs). The only inbound traffic allowed is

traffic received within the context of an outbound session initiated on the local host.

•

Medium

Moderate restrictions with respect to outbound traffic. Outbound traffic is allowed for most

supported IP-based applications and Application Level Routers (ALGs). The only inbound traffic

allowed is traffic received within the context of an outbound session initiated on the local host.

•

High

High restrictions with respect to outbound traffic. Outbound traffic is allowed only for a very

restricted set of supported IP-based applications and ALGs. The only inbound traffic allowed is

traffic received within the context of an outbound session initiated on the local host and permitted

by this firewall mode.

•

ICSA 3.0a-compliant

Supports the ICSA Labs criteria for firewall behavior. (For more information, visit the ICSA site at

).

•

Custom

Allows advanced users to add, modify, and delete their own firewall rules. If you select this option,

you must set customized rules for both inbound and outbound traffic using the IP Filtering option.

3. Click

Apply

.

43

Router User’s Guide

Monitoring Network Health

Snooze

The snooze feature allows you to temporarily disable the firewall for a set amount of time so outside

support personnel can access your Router or network or so you can run an application that conflicts with

the firewall.

Note

:

Important!

This function is recommended for use only when you require this special

level of unrestricted access as it leaves your Router and network exposed to the Internet with no firewall

protection.

To enable and configure snooze control:

1. Select

Setup>Firewall>Snooze

from the left navigation pane of the Web interface. This displays the

“Firewall Snooze Control” window.

2.

Select one of the following:

•

Disable Snooze

Disables all snooze control. In this mode, the firewall is not disabled.

•

Enable Snooze, and set the Snooze time interval to

Enables snooze for a specified time period. Be sure to enter the number of minutes to define how

long the firewall should be disabled.

•

Reset the Snooze time interval to

Reset the snooze control time period. Use this option if you need a time extension for an open

snooze session. Be sure to specify the additional amount of time (minutes) the firewall should be

disabled.

3. Click

Apply

.

44

Router User’s Guide

Monitoring Network Health

DMZ

The firewall supports virtual DMZ in single (LAN) port router models. Virtual DMZ redirects traffic to a

specified IP address rather than a physical port. Because this redirection is a logical application rather

than physical, it is called “virtual DMZ.”

Using virtual DMZ, a single node on the LAN can be made “visible” to the WAN IP network. Any incoming

network traffic not handled by port forwarding rules is automatically forwarded to an enabled DMZ node.

Outbound traffic from the virtual DMZ node circumvents all firewall rules. The DMZ feature allows a

computer on your home network to circumvent the firewall and have direct access to the internet. This

feature is primarily used for gaming. Under this mode of operation all network traffic received from the

WAN that is not destined for a host specifically exposed through NAT or for a server exposed through

Port Forwarding will be redirected to the designated DMZ host. If the DMZ feature is enabled, you must

select the computer to be used as the DMZ computer/host.

This function is recommended for use only when you require this special level of unrestricted access as it

leaves your Router and network exposed to the Internet with no firewall protection. To enable and

configure the DMZ:

1. Select

Setup>Firewall>DMZ

from the left navigation pane of the Web interface. This displays the

“Firewall DMZ Configuration” window.

2.

Select one of the following DMZ enable options:

•

Disable DMZ

The firewall is not bypassed.

•

Enable DMZ with this Host IP address

The firewall is bypassed through an IP address typed in the box next to this field.

•

Enable DMZ with this Host IP address

The firewall is bypassed through an IP address that is selected from the

Select Host

drop-down

menu next to this field. Select the desired host from the drop-down menu.

3.

Select one of the following time element options:

•

Make Settings Permanent

DMZ settings are permanent unless changed by the administrator.

•

Make Settings Last for

DMZ settings last for only the time (in minutes) entered in the box next to this option.

4. Click

Apply

.

45

Router User’s Guide

Monitoring Network Health

Filter Rules

If the firewall security level is set to Custom, this features allows you to specify a unique set of firewall

rules for handling inbound and outbound traffic customized to the user’s specific requirements. In this

mode of operation the firewall provides an extensive amount of configurability. As such, only advanced

users should employ this feature.

Rules can be filter-based on any of the following:

•

Source and destination router interfaces

•

IP protocols

•

Direction of traffic flow

•

Source and destination network/host IP address

•

Protocol-specific attributes such as ICMP message types

•

Source and destination port ranges (for protocols that support them), and support for port comparison

operators such as less than, greater than, and equal to.

Rules can specifically allow or deny packets to flow through the router. Default actions taken when no

specific rule applies can also be configured.

To define inbound and outbound IP filter rules:

1. Select

Setup>Firewall>Filter Rules

from the left navigation pane of the Web interface. This displays

the “Firewall IP Filter Configuration Wizard” window.

2.

Do one of the following:

•

To add new IP filter rules as you define them, click

Add New IP Filter Rule

. This displays the

“

Basic Rule Definition

” window.

•

To clone IP filter rules already defined, click

Clone IP Filter Level

. This displays the “

Clone Rule

Definition

” window. Once cloned, you can modify the existing rules.

46

Router User’s Guide

Monitoring Network Health

Creating Custom IP Filter Rules

To add a new rule:

1.

Type up to a five digit numeric value in the

Rule No

box to uniquely identify the rule.

2. Select either

Permit

or

Deny

from the

Access

drop-down menu. Select

Permit

to allow the rule and

Deny

to prohibit the rule.

3. Select either

Inbound

or

Outbound

from the

Direction

drop-down menu.

Inbound

refers to data

coming into the Router, while

Outbound

refers to data transmitted from the Router.

4. Optionally, select the

Disable stateful inspection for packets matching this rule

to prevent the

firewall from creating a stateful inspection session for packets matched on this rule.

5. Optionally, select the

Create a log entry for packets matching this rule

. When selected, an entry is

placed in the log file when packets match this rule.

6. Click

Next

. This displays the “Source & Destination Definition” window.

7. Under the

Source

heading, select a network connection from the

Network Interface

drop-down

menu.

8.

Select one of the following options:

•

Any IP Address

Select this option if this rule applies to any IP address from the source.

•

This IP Address

Select this option if a rule applies to a specific IP address from the source.

47