1. Home
    2. /
  2. Manuals
    3. /
  3. SnapGear
    4. /
  4. SG565
    5. /
  5. 25
Page 121 / 249 Scroll up to view Page 116 - 120
Firewall
116
In each case there are two distincts parts to a tunnel, the source half and the destination
half.
The source half listens for network connections from behind the firewall and when
such occurs, forwards all traffic to the destination half.
The destination accepts incoming
network traffic and forwards this to a specified destination host and port.
To create a port tunnel, select the type of tunnel and click
Add Destination
or
Add
Source
.
In each case a form will be displayed which must be filled in to complete that
half of the tunnel.
The other half must be created also.
Note
It is possible to, e.g. create an stunnel port tunnel with a localhost destination (127.0.0.1)
and to then have an httptunnel listening on that port which forwards to a remote
httptunnel which in turn loops back to a remote stunnel which in turn forwards the
network traffic to the desired destination.
In this manner, it is possible to create a secure
tunnel over HTTP.
stunnel
configuration is essentially the same for both source and destination and the only
form field that should be noted here is the
Protocol
.
This allows stunnel to create a link
to a non-stunnel server using SSL, e.g. if your POP3 server only accepts SSL conections
and your mail client doesn't support these, install a stunnel in the middle using the POP3
protocol.
httptunnel
has quite different configurations for the two ends and in particular the source
side can specify a number of proxy settings to allow it to traverse a proxying firewall.
Page 122 / 249
Firewall
117
Access Control and Content Filtering
Inappropriate Internet use during work hours can have a serious effect on productivity.
With the CyberGuard SG Access Control web proxy, you can control access to the
Internet based on the type of web content being accessed (
Content
), and which user or
workstation is accessing the Internet content (
Require user authentication
,
IP Lists
).
Additionally, you can set up global block/allow lists for web sites that you always want to
be accessible/inaccessible (
Web Lists
), or force users to have a personal firewall
installed before accessing the Internet (
ZoneAlarm
).
To enable any of these access controls or content filtering, select
Access Control
, then
under the
Main
tab check
Enabled
and click
Apply
.
User authentication
Check
Require user authentication
if you want to require users to authenticate
themselves before browsing the web.
When attempting to access a web site on the
Internet, their browser will display a dialog similar to the following:
Figure 6-7
Web proxy user accounts are added and removed through
Users
under the
System
menu.
Web proxy users should generally have only
Internet Access (via. Access
Controls)
checked, with all other access permissions unchecked.
See the
Users
section
in the chapter entitled
Advanced
for further details on adding user accounts.
Page 123 / 249
Firewall
118
Users without web proxy access will see a screen similar to the figure below when
attempting to access external web content.
Figure 6-8
Note
Each browser on the LAN will now have to be set up to use the CyberGuard SG
appliance’s web proxy.
Page 124 / 249
Firewall
119
Browser setup
The example given is for Microsoft Internet Explorer 6.
Instructions for other browsers
should be similar, refer to their user documentation for details on using a web proxy.
From the
Internet Options
menu, select
Tools
.
From the
LAN Settings
tab, select
LAN
Settings
.
Figure 6-9
Check
Use a proxy server for your LAN…
and
Bypass proxy server for local
address
.
All other options should remain unchecked.
Click
Advanced
.
Page 125 / 249
Firewall
120
Figure 6-10
In the row labeled
HTTP
, enter your CyberGuard SG appliance’s LAN IP address in the
Proxy address to use
column, and
81
in the
Port
column.
Leave the other rows blank.
In the
Exceptions
text box, enter your CyberGuard SG appliance’s LAN IP address.
Click
OK
,
OK
and
OK
again.
IP lists
Internet access may be
Block
ed or
Allow
ed by the
Source
(LAN) IP address or address
range, the
Destination
(Internet) host’s IP address or address range, or the
Destination
Host
’s name.
See
Appendix A
for more information on IP address ranges.
Note
All Internet traffic, not just web traffic, is affected by the
IP Lists
.
Allow
entries have preference over
Block
entries, e.g. if
www.kernel.org
is in the
Destination Host Allow
list and
192.168.0.100
is in the
Source Block
list, access to
www.kernel.org
(and
www.kernel.org
only) from
192.168.0.100
will be granted.

Rate

4 / 5 based on 3 votes.

Popular SnapGear Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top