Zyxel P-660HN-F1Z Router Manual PDF (Setup & Configuration Guide)

Page 181 / 421 Scroll up to view Page 176 - 180

Chapter 11 Packet Filter

P-660HN-FxZ Series User’s Guide

179

Figure 102

Security > Packet Filter > Edit (Protocol Filter)

The following table describes the labels in this screen.

11.2.2

Configuring Protocol Filter Rules

Use this screen to configure protocol filter rules. In the

Edit (Protocol Filter)

screen, click an

Edit

icon to display the following screen.

Table 62

Security > Packet Filter > Edit (Protocol Filter)

LABEL

DESCRIPTION

#

This is the index number of the rules in a filter set.

Active

Use the check box to turn a filter rule on or off.

Filter Type

This field displays whether the filter type is a protocol filter or generic filter.

Protocol

This field displays the upper layer protocol.

SA

This field displays the source IP address.

DA

This field displays the destination IP address.

Modify

Click the

Edit

icon to configure a filter rule.

Click the

Remove

icon to delete a filter rule.

Back

Click this to return to the previous screen without saving.

Apply

Click this to save your changes.

Cancel

Click this to restore your previously saved settings.

Page 182 / 421

Chapter 11 Packet Filter

P-660HN-FxZ Series User’s Guide

180

Figure 103

Security > Packet Filter > Edit (Protocol Filter) > Edit Rule

The following table describes the labels in this screen.

Table 63

Security > Packet Filter > Edit (Protocol Filter) > Edit Rule

LABEL

DESCRIPTION

Active

Select the check box to enable the filter rule.

Protocol

Select

ICMP

,

TCP

or

UDP

for the upper layer protocol.

IP Source Route

Select the check box to apply the filter rule to packets with an IP source route

option. The majority of IP packets do not have source route.

Destination

Address

Enter the destination IP address of the packet you wish to filter. This field is ignored

if it is 0.0.0.0.

Destination

Subnet Netmask

Enter the IP subnet mask for the destination IP address.

Destination Port

Enter the destination port of the packets that you wish to filter. The range of this

field is 0 to 65535. This field is ignored if it is 0.

Port Compare

Select the comparison to apply to the destination port in the packet against the

value given in the

Destination Port

field.

Options are

None

,

Equal

,

Not Equal

,

Less

and

Greater

.

Source Address

Enter the source IP address of the packet you wish to filter. This field is ignored if it

is 0.0.0.0.

Source Subnet

Netmask

Enter the IP subnet mask for the source IP address

Source Port

Enter the source port of the packets that you wish to filter. The range of this field is

0 to 65535. This field is ignored if it is 0.

Port Compare

Select the comparison to apply to the source port in the packet against the value

given in the

Source Port

field.

Options are

None

,

Equal

,

Not Equal

,

Less

and

Greater

.

TCP Estab

This field is only available when you select

TCP

in the

Protocol

field.

Select

Yes

to have the rule match packets that want to establish a TCP connection.

This field is ignored if you select

No

.

Page 183 / 421

Chapter 11 Packet Filter

P-660HN-FxZ Series User’s Guide

181

11.2.3

Editing Generic Filters

Use this screen to display a generic filter set on your ZyXEL Device. The purpose of generic

rules is to allow you to filter non-IP packets. For IP packets, it is generally easier to use the IP

rules directly.

For generic rules, the ZyXEL Device treats a packet as a byte stream as opposed to an IP or

IPX packet. You specify the portion of the packet to check with the

Offset

(from 0) and the

Length

fields, both in bytes. The ZyXEL Device applies the Mask (bit-wise ANDing) to the

data portion before comparing the result against the Value to determine a match. The

Mask

and

Value

are specified in hexadecimal numbers. Note that it takes two hexadecimal digits to

represent a byte, so if the length is 4 bytes, the value in either field will take 8 digits, for

example, FFFFFFFF.

In the

Packet Filter

screen, select

Generic Filter

from the

Filter Type

field. Then click the

Edit

button from the

Modify

field to display the following screen.

Figure 104

Security > Packet Filter > Edit (Generic Filter)

More

Select

Yes

to pass a matching packet to the next filter rule before an action is

taken. Select

No

to act upon the packet according to the action fields.

Log

Select a logging option from the following:

None

– No packets will be logged.

Match

- Only packets that match the rule parameters will be logged.

Not Match

- Only packets that do not match the rule parameters will be logged.

Both

– All packets will be logged.

Action Match

Select the action for a matching packet.

Options are

Check Next Rule

,

Forward

and

Drop

.

Action Not Match

Select the action for a packet not matching the rule.

Options are

Check Next Rule

,

Forward

and

Drop

.

Back

Click this to return to the previous screen without saving.

Apply

Click this to save your changes.

Cancel

Click this to restore your previously saved settings.

Table 63

Security > Packet Filter > Edit (Protocol Filter) > Edit Rule (continued)

LABEL

DESCRIPTION

Page 184 / 421

Chapter 11 Packet Filter

P-660HN-FxZ Series User’s Guide

182

The following table describes the labels in this screen.

11.2.4

Configuring Generic Packet Rules

Use this screen to configure generic filter rules. In the

Edit (Generic Filter)

screen, click the

Edit

button from the

Modify

field to display the following screen.

Figure 105

Security > Packet Filter > Edit (Generic Filter) > Edit Rule

The following table describes the labels in this screen.

Table 64

Security > Packet Filter > Edit (Generic Filter)

LABEL

DESCRIPTION

#

This is the index number of the rules in a filter set.

Active

Use the check box to turn on or off a filter rule.

Filter Type

This field displays whether the filter type is a protocol filter or generic filter.

Offset

This field displays the offset value.

Length

This field displays the length value.

Mask

This field displays the mask value.

Value

This field displays the value.

Modify

Click the

Edit

icon to configure a filter rule.

Click the

Remove

icon to delete a filter rule.

Back

Click this to return to the previous screen without saving.

Apply

Click this to save your changes.

Cancel

Click this to restore your previously saved settings.

Table 65

Security > Packet Filter > Edit (Generic Filter) > Edit Rule

LABEL

DESCRIPTION

Active

Select the check box to enable the filter rule.

Offset

Enter the starting byte of the data portion in the packet that you wish to

compare. The range for this field is from 0 to 255.

Length

Enter the byte count of the data portion in the packet that you wish to

compare. The range for this field is 0 to 8.

Mask

Enter the mask (in hexadecimal notation) to apply to the data portion before

comparison.

Page 185 / 421

Chapter 11 Packet Filter

P-660HN-FxZ Series User’s Guide

183

11.3

Packet Filter Technical Reference

This section provides some technical background information about the topics covered in this

chapter.

11.3.1

Filter Types and NAT

There are two classes of filter rules, generic filter

rules and protocol filter rules. Generic filter

rules act on the raw data from/to LAN and WAN. Protocol filter

rules act on the IP packets.

When NAT (Network Address Translation) is enabled, the inside IP address and port number

are replaced on a connection-by-connection basis, which makes it impossible to know the

exact address and port on the wire. Therefore, the ZyXEL Device applies the protocol filters to

the “native” IP address and port number before NAT for outgoing packets and after NAT for

incoming packets. On the other hand, the generic filters are applied to the raw packets that

appear on the wire. They are applied at the point when the ZyXEL Device is receiving and

sending the packets; that is the interface. The interface can be an Ethernet port or any other

hardware port. The following diagram illustrates this.

Figure 106

Protocol and Generic Filter Sets

Value

Enter the value (in hexadecimal notation) to compare with the data portion.

More

Select

Yes

to pass a matching packet to the next filter rule before an action

is taken.

Select

No

to act upon the packet according to the action fields.

Log

Select a logging option from the following:

None

– No packets will be logged.

Match

- Only packets that match the rule parameters will be logged.

Not Match

- Only packets that do not match the rule parameters will be

logged.

Both

– All packets will be logged.

Action Match

Select the action for a matching packet.

Options are

Check Next Rule

,

Forward

and

Drop

.

Action Not Match

Select the action for a packet not matching the rule.

Options are

Check Next Rule

,

Forward

and

Drop

.

Back

Click this to return to the previous screen without saving.

Apply

Click this to save your changes.

Cancel

Click this to restore your previously saved settings.

Table 65

Security > Packet Filter > Edit (Generic Filter) > Edit Rule (continued)

LABEL

DESCRIPTION

Protocol

Filters

Generic

Filters

NAT

Interface

Route

Incoming

Outgoing

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share