1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-660R-F1
    5. /
  5. 23
Page 111 / 268 Scroll up to view Page 106 - 110
Chapter 8 Packet Filters
P-660R-F1 Series User’s Guide
111
8.2.4
Configuring Generic Packet Rules
Use this screen to configure generic filter rules. In the
Edit (Generic Filter)
screen, click the
Edit
button from the
Modify
field to display the following screen.
Figure 68
Security > Packet Filter > Edit (Generic Filter) > Edit Rule
The following table describes the labels in this screen.
Table 40
Security > Packet Filter > Edit (Generic Filter) > Edit Rule
LABEL
DESCRIPTION
Active
Select the check box to enable the filter rule.
Offset
Enter the starting byte of the data portion in the packet that you wish to
compare. The range for this field is from 0 to 255.
Length
Enter the byte count of the data portion in the packet that you wish to
compare. The range for this field is 0 to 8.
Mask
Enter the mask (in hexadecimal notation) to apply to the data portion
before comparison.
Value
Enter the value (in hexadecimal notation) to compare with the data
portion.
More
Select
Yes
to pass a matching packet to the next filter rule before an
action is taken.
Select
No
to act upon the packet according to the action fields.
Page 112 / 268
Chapter 8 Packet Filters
P-660R-F1 Series User’s Guide
112
8.3
Packet Filter Technical Reference
This section provides some technical background information about the topics covered in this
chapter.
8.3.1
Filter Types and NAT
There are two classes of filter rules, generic filter rules and protocol filter rules. Generic filter rules
act on the raw data from/to LAN and WAN. Protocol filter rules act on the IP packets. When NAT
(Network Address Translation) is enabled, the inside IP address and port number are replaced on a
connection-by-connection basis, which makes it impossible to know the exact address and port on
the wire. Therefore, the ZyXEL Device applies the protocol filters to the “native” IP address and port
number before NAT for outgoing packets and after NAT for incoming packets. On the other hand,
the generic filters are applied to the raw packets that appear on the wire. They are applied at the
point when the ZyXEL Device is receiving and sending the packets; that is the interface. The
interface can be an Ethernet port or any other hardware port. The following diagram illustrates this.
Figure 69
Protocol and Generic Filter Sets
8.3.2
Firewall Versus Filters
Below are some comparisons between the ZyXEL Device’s filtering and firewall functions.
Log
Select a logging option from the following:
None
– No packets will be logged.
Match
- Only packets that match the rule parameters will be logged.
Not Match
- Only packets that do not match the rule parameters will be
logged.
Both
– All packets will be logged.
Action Match
Select the action for a matching packet.
Options are
Check Next Rule
,
Forward
and
Drop
.
Action Not Match
Select the action for a packet not matching the rule.
Options are
Check Next Rule
,
Forward
and
Drop
.
Back
Click this to return to the previous screen without saving.
Apply
Click this to save your changes.
Cancel
Click this to restore your previously saved settings.
LABEL
DESCRIPTION
Protocol
Filters
Generic
Filters
NAT
Interface
Route
Incoming
Outgoing
Page 113 / 268
Chapter 8 Packet Filters
P-660R-F1 Series User’s Guide
113
Packet Filtering
The router filters packets as they pass through the router’s interface according to the filter rules
you designed.
Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you
need a chain of rules to filter a service.
Packet filtering only checks the header portion of an IP packet.
When To Use Filtering
1
To block/allow LAN packets by their MAC addresses.
2
To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets.
3
To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific
inside host/network "A" and outside host/network "B". If the filter blocks the traffic from A to B, it
also blocks the traffic from B to A. Filters cannot distinguish traffic originating from an inside host or
an outside host by IP address.
4
To block/allow IP trace route.
Firewall
The firewall inspects packet contents as well as their source and destination addresses. Firewalls
of this type employ an inspection module, applicable to all protocols, that understands data in the
packet is intended for other layers, from the network layer (IP headers) up to the application
layer.
The firewall performs stateful inspection. It takes into account the state of connections it handles
so that, for example, a legitimate incoming packet can be matched with the outbound request for
that packet and allowed in. Conversely, an incoming packet masquerading as a response to a
non-existent outbound request can be blocked.
The firewall uses session filtering, i.e., smart rules, that enhance the filtering process and control
the network session rather than control individual packets in a session.
The firewall provides e-mail service to notify you of routine reports and when alerts occur.
When To Use The Firewall
1
To prevent DoS attacks and prevent hackers cracking your network.
2
A range of source and destination IP addresses as well as port numbers can be specified within one
firewall rule making the firewall a better choice when complex rules are required.
3
To selectively block/allow inbound or outbound traffic between inside host/networks and outside
host/networks. Remember that filters cannot distinguish traffic originating from an inside host or an
outside host by IP address.
4
The firewall performs better than filtering if you need to check many rules.
5
Use the firewall if you need routine e-mail reports about your system or need to be alerted when
attacks occur.
Page 114 / 268
Chapter 8 Packet Filters
P-660R-F1 Series User’s Guide
114
6
The firewall can block specific URL traffic that might occur in the future. The URL can be saved in an
Access Control List (ACL) database.
Page 115 / 268
P-660R-F1 Series User’s Guide
115
C
HAPTER
9
Certificates
9.1
Overview
This chapter describes how your ZyXEL Device can use certificates as a means of authenticating
wireless clients. It gives background information about public-key certificates and explains how to
use them.
A certificate contains the certificate owner’s identity and public key. Certificates provide a way to
exchange public keys for use in authentication.
Figure 70
Certificates Example
In the figure above, the ZyXEL Device (Z) checks the identity of the notebook (A) using a certificate
before granting it access to the network.
9.1.1
What You Can Do in the Certificates Screens
Use the
My Certificates
screens to generate and export self-signed certificates or certification
requests and import the ZyXEL Device’s CA-signed certificates.
Use the
Trusted CAs
screens to save CA certificates to the ZyXEL Device.
Use the
Trusted Remote Hosts
screens to import self-signed certificates.
Use the
Directory Servers
screens to configure a list of addresses of directory servers (that
contain lists of valid and revoked certificates).
9.1.2
What You Need to Know About Certificates
Certification Authority
A Certification Authority (CA) issues certificates and guarantees the identity of each certificate
owner. There are commercial certification authorities like CyberTrust or VeriSign and government
certification authorities. You can use the ZyXEL Device to generate certification requests that
contain identifying information and public keys and then send the certification requests to a
certification authority.

Rate

4.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top