SnapGear SG565 Router Manual PDF (Setup & Configuration Guide)

Page 111 / 249 Scroll up to view Page 106 - 110

Firewall

106

Once valid SSL certificates have been uploaded, the CyberGuard SG administrative web

server can operate in one of one of 3 different modes.

•

Both normal and SSL web access (both HTTP/HTTPS)

•

Disable normal access (HTTPS only)

•

Disable SSL access (HTTP only)

To access the Web Management Console administrative web pages securely using SSL

encryption, the URL becomes

https://

instead of

http://

(e.g.

https://10.0.0.1

).

Add Local and Private Certificates

Valid SSL certificates have been uploaded

indicates whether valid certificates are

present on the CyberGuard SG appliance (

Yes

/

No

).

If you have purchased or created SSL certificates for a web server, you can upload them

to the CyberGuard SG appliance by clicking

Upload

.

Alternately, you can create self-signed certificates internally on the CyberGuard SG

appliance by following the link to the

SSL Certificate

page.

SSL Certificate Setup

You can create self-signed certificates on this page, which will enable the CyberGuard

SG administrative web server to run in SSL mode.

Warning

Your web browser may give warnings/errors about the authenticity/validity of the

certificate, since it is signed by an unknown Certificate Authority.

Generating certificates is not immediate, and usually takes a few minutes.

Exact time will

depend on the model of CyberGuard SG appliance you have and the key size being

generated.

You can tell when the certificates are created, the line

Valid SSL certificates

have been uploaded

will read

Yes

when the previous page is refreshed.

The CyberGuard SG appliance will need to be rebooted after valid certificates have been

uploaded for the administrative web server to use them.

Page 112 / 249

Firewall

107

Packet Filtering

By default, your CyberGuard SG appliance allows network traffic as shown in the

following table:

You can configure your CyberGuard SG appliance with additional filter rules to allow or

restrict network traffic.

These rules can match traffic based on the source and destination

address, the incoming and outgoing network port, and/or the services.

You can also configure your CyberGuard SG appliance to perform

network address

translation

(NAT).

This may be in the form of source address NAT, destination address

NAT, or 1-to-1 NAT.

Network address translation modifies the IP address and/or port of

traffic traversing the CyberGuard SG appliance.

The most common use of this is for

port forwarding

(aka PAT/Port Address Translation)

from ports on the CyberGuard SG appliance’s WAN interface to ports on machines on

the LAN.

This is the most common way for internal, masqueraded servers to offer

services to the outside world.

Destination NAT rules are used for port forwarding.

Source NAT rules are useful for

masquerading

one or more IP addresses behind a single

other IP address.

This is the type of NAT used by the CyberGuard SG appliance to

masquerade your private network behind its public IP address.

1-to-1 NAT creates both Destination NAT and Source NAT rules for full IP address

translation in both directions.

This can be useful if you have a range of IP addresses that

have been added as interface aliases on the CyberGuard SG appliance’s WAN interface,

and want to associate one of these external alias IP addresses with a single internal,

masqueraded computer. This effectively allocates the internal computer its own real

world IP address, also known as a

virtual DMZ

.

Function

NAT Method

Port forwarding (PAT)

Destination NAT

Masquerading

Source NAT

Virtual DMZ

1-to-1 NAT

Incoming Interface

Outgoing Interface

Action

LAN/VPN/Dial-In

Any

Accept

DMZ

WAN

Accept

DMZ

Any except WAN

Drop

Guest

Any

Drop

WAN

Any

Drop

Page 113 / 249

Firewall

108

Before configuring a filter or NAT rule, you need to define the addresses and service

groups.

Addresses

Click the

Addresses

tab.

Any addresses that have already been defined will be

displayed.

Click

New

to add a new address, or select an existing address and click

Modify

.

There is no need to add addresses for the CyberGuard SG appliance’s

interfaces, these are predefined.

Adding or modifying an address is shown in the following figure:

Figure 6-4

You can define an address using either the DNS hostname, or the IP address.

To define an address using the DNS hostname, enter the DNS hostname in the

Name

field, and leave the

IP Address

field empty.

The CyberGuard SG appliance will perform

a DNS lookup, and fill in the

IP Address

field.

If the DNS hostname is invalid, you may

need to wait while the DNS lookup times out.

Warning

The DNS lookup is only performed once, when you enter it.

If the IP address

corresponding to the DNS hostname ever changes, you will need to delete the IP

address, to force the CyberGuard SG appliance to perform another DNS lookup. This

means that this option is not suitable for use with dynamic DNS.

Additionally, some DNS hostnames resolve to several IP addresses (eg. www.cnn.com

).

In this case, you must create an address entry and rule for each of these IP addresses.

To define an address using the IP address, fill in the

IP Address

field.

The

Name

field is

optional, and will only be used as a description of the address.

Entering a description will

make the rules easier to read.

Page 114 / 249

Firewall

109

Service groups

Click the

Service Groups

tab.

Any addresses that have already been defined will be

displayed.

Click

New

to add a new service groups, or select an existing address and

click

Modify

.

Adding or modifying a service group is shown in the following figure:

Figure 6-5

A service group can be used to group together similar services.

For example, you can

create a group of services that you wish to allow, and then use a single rule to allow them

all at once.

Select the services from the list of predefined services, or enter the port

number to define a custom TCP or UDP service.

It is permissible for a service to belong

to multiple service groups.

Page 115 / 249

Firewall

110

Rules

Once addresses and services have been defined, you can create filter rules.

Click

Rules

.

Any rules that have already been defined will be displayed.

Click

New

to add a

new filter rule, or select an existing filter and click

Modify

.

Note

The first matching rule will determine the action for the network traffic, so the order of the

rules is important. You can use the buttons on the

Packet Filtering

page to change the

order.

The rules are evaluated top to bottom as displayed on the

Packet Filtering

page.

Adding or modifying a rule is shown in the following figure:

Figure 6-6

The

Action

specifies what to do if the rule matches.

•

Accept

means to allow the traffic.

•

Drop

means to disallow the traffic.

•

Reject

means to disallow the traffic, but also send an ICMP port unreachable

message to the source IP address.

•

None

means to perform no action for this rule. This is useful for a rule that logs

packets, but performs no other action. It can also be used to temporarily disable a

rule.

Rate

Popular SnapGear Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share