Zyxel P324 Router Manual PDF (Setup & Configuration Guide)

Page 171 / 285 Scroll up to view Page 166 - 170

Prestige 324 Intelligent Broadband Sharing Gateway

Filter Configuration

13-13

Figure 13-9 Filter Example

13.3 Example Filter

Let’s look at an example to block outside users from accessing the Prestige via telnet. See the included

support CD for more example filters.

1.

Enter 21 from the main menu to open

Menu 21 - Filter Set Configuration

.

2.

Enter the index of the filter set you wish to configure (e.g., 7) and press

[ENTER]

.

3.

Enter a descriptive name or comment in the

Edit Comments

field (e.g., TELNET_WAN) and press

[ENTER].

4.

Press

[ENTER]

at the message “[Press ENTER to confirm] to open

Menu 21.7 - Filter Rules

Summary.

5.

Enter 1 to configure the first filter rule. Make the entries in this menu as shown in the following figure.

Page 172 / 285

13-14

Filter Configuration

Figure 13-10 Example Filter — Menu 21.3.1

Press

[ENTER]

to confirm and display the next screen. Note that there is only one filter rule in this set.

Menu 21.7.1 - TCP/IP Filter Rule

Filter #: 7,1

Filter Type= TCP/IP Filter Rule

Active= Yes

IP Protocol= 6

IP Source Route= No

Destination: IP Addr= 0.0.0.0

IP Mask= 0.0.0.0

Port #= 21

Port # Comp= Equal

Source: IP Addr= 0.0.0.0

IP Mask= 0.0.0.0

Port #= 0

Port # Comp= None

TCP Estab= No

More= No

Log= None

Action Matched= Drop

Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

Press Space Bar to Toggle.

Press [SPACE BAR] to choose this

filter rule type. The first filter rule

type determines all subsequent filter

types within a set.

Select

Yes

to make the rule active.

6

is the TCP protocol.

The port number for FTP is

21

. See

RFC 1060

for port numbers of well-

known services.

Select

Equal

here

as we are looking

for packets going

to port 21 only.

There are no

more rules to

check.

Select

Drop

so that the

packet will be dropped if its

destination is the telnet port.

Select

Check Next Rule

here so

that the next rule in this set will be

checked.

Page 173 / 285

Prestige 324 Intelligent Broadband Sharing Gateway

Filter Configuration

13-15

Figure 13-11 Example Filter Rules Summary — Menu 21.3

Enter 2 in the above menu to configure the second rule

.

Configure this filter rule with port number as 23

(Telnet) as shown in the next screen (after you press

[ENTER]

to confirm.

Menu 21.7 - Filter Rules Summary

# A Type

Filter Rules

M m n

- - ---- --------------------------------------------------------------- - - -

1 Y IP

Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=21

N D N

2 N

4 N

5 N

6 N

Enter Filter Rule Number (1-6) to Configure: 2

This shows you that you have

configured and activated (

A = Y

) a

TCP/IP filter rule (

Type = IP

,

Pr = 6

)

for destination FTP ports (

DP = 21

).

M = N means an action can be taken immediately.

The action is to drop the packet (m = D) if the

action is matched and to forward the packet

immediately (n = N) if the action is not matched

and there are more rules to be checked (there is

one more in this example).

Page 174 / 285

13-16

Filter Configuration

Figure 13-12 Example Filter Rules Summary

After you’ve created the filter set, you must apply it.

6.

Enter 11 from the main menu to display menu 11.

7.

Go to the Edit Filter Sets field, press the [SPACE BAR] to select Yes and press [ENTER].

8.

This brings you to menu 11.5. Apply the TELNET_FTP_WAN filter set (filter set 7) as shown in

Figure 13-15

.

13.4 Filter Types and NAT

There are two classes of filter rules,

Generic Filter

(Device) rules and Protocol Filter (

TCP/IP

) rules.

Generic Filter rules act on the raw data from/to LAN and WAN and Protocol Filter

rules act on the IP

packets.

Generic and TCP/IP filter rules are discussed in more detail in the next section. When NAT

(Network

Address Translation) is enabled, the inside IP address and port number are replaced on a connection-by-

connection basis, which makes it impossible to know the exact address and port on the wire. Therefore, the

Prestige applies the protocol filters to the “native” IP address and port number before NAT for outgoing

packets and after NAT for incoming packets. On the other hand, the generic, or device filters are applied to

the raw packets that appear on the wire. They are applied at the point when the Prestige is receiving and

sending the packets; i.e. the interface. The interface can be an Ethernet port or any other hardware port. The

following figure illustrates this.

Menu 21.7 - Filter Rules Summary

# A Type

Filter Rules

M m n

- - ---- -------------------------------------------------------------------------------

1 Y IP

Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=21

N D N

2 Y IP

Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23

N D F

3 N

4 N

5 N

6 N

Enter Filter Rule Number (1-6) to Configure:

Page 175 / 285

Prestige 324 Intelligent Broadband Sharing Gateway

Filter Configuration

13-17

Figure 13-13 Protocol and Device Filter Sets

13.5 Applying a Filter and Factory Defaults

This section shows you where to apply the filter(s) after you design it (them).

13.5.1 LAN traffic

You seldom need to filter LAN traffic; however, the filter sets may be useful to block certain packets,

reduce traffic and prevent security breaches. Go to menu 3.1 (shown below) and enter the number(s) of the

filter set(s) that you want to apply as appropriate. You can choose up to four filter sets (from twelve) by

entering their numbers separated by commas, e.g., 3, 4, 6, 11. Input filter sets filter incoming traffic to the

Prestige and Output filter sets filter outgoing traffic from the Prestige.

Figure 13-14 Filtering LAN Traffic

Menu 3.1 – LAN Port Filter Setup

Input Filter Sets:

protocol filters=

device filters=

Output Filter Sets:

Protocol filters=

device filters=

Press ENTER to Confirm or ESC to Cancel:

Apply

factory

default

filter

here.

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share