Security |
 |
|
LAN WAN Rules |
Firewall rules for traffic between the LAN and the WAN/Internet may be defined
from this page. |
The
Default Outbound Policy allows all traffic from the LAN to pass through
to the Internet. Firewall rules can then be applied to block specific types of
traffic from going out from the LAN to the WAN. |
The
Default Inbound Policy is to block all inbound traffic to the LAN from the
Internet (WAN) To allow computers from the WAN to access services on the LAN, a
firewall rule for each service must be added. |
Outbound Services |
The default policy can be changed to block all outbound traffic and enable only
specific services to pass through the router. To change the
Default Outbound
Policy, select
Block Always from the drop-list and click
Apply.
This
Outbound Services table lists all the existing rules for outgoing traffic.
A rule is defined by the following fields: |
! (Status): A rule can be disabled if not in use
and enabled as needed. A rule is disabled if the status light is grey and it is
enabled if the status light is green. Disabling a rule does not delete the
configuration, but merely de-activates the rule. |
Service Name: This is a unique name assigned to the
service. The name usually indicates the type of traffic the rule covers such as
ftp, ssh, telnet, ping, etc. Services not already in the list can be added from
the Services page. |
Filter: Defines an action to be taken on the
enabled rule. It can be: |
v |
Block Always: Block selected service at all times. |
v |
Enable Always: Allow selected service to pass
through at all times. |
v |
Block by schedule, otherwise allow: Works in
conjunction with a schedule defined in the
Schedule 1/2/3 pages. The selected
service will be blocked during the schedule interval and will be allowed to pass
through at other times. |
v |
Allow by schedule, otherwise block: Works in
conjunction with a schedule defined in the
Schedule 1/2/3 pages. The selected
service will be allowed to pass through during the schedule interval and will be
blocked at other times. |
|
LAN Users: Specifies whether one or more LAN IP
addresses will be affected by the rule. This rule will affect packets for the
selected service coming from the defined IP address or range of IP addresses on
the LAN side. |
v |
Any: All computers on the LAN are included in the
rule. |
v |
Single Address: A single LAN IP address that is
affected by the rule. |
v |
Address Range: A range of LAN IP addresses that are
affected by the rule. |
v |
Group: Computers that are part of the Group defined
in the Network Database will be affected by the rule (groups are defined under
the Network Configuration menu on the, LAN Groups page on the Edit Group Names
tab). |
|
WAN Users: Specifies whether one or more WAN IP
address will be affected by the rule. This rule will affect packets for the
selected service to the defined IP address or range of IP addresses on the WAN
side. |
v |
Any: All IP addresses on the WAN will be affected
by the rule. |
v |
Single Address: A single WAN IP address will be
affected by the rule. |
v |
Address Range: A range of IP addresses on the WAN
will be affected by the rule. |
|
Priority: The priority assigned to IP packets of
this service. The priorities are defined by "Type of Service (TOS) in the
Internet Protocol Suite" standards, RFC 1349. The router marks the Type Of
Service (TOS) field as defined below: |
v |
Normal-Service: No special priority given to the
traffic. The IP packets for services with this priority are marked with a TOS
value of 0x00. |
v |
Minimize-Cost: Used when data must be transferred
over a link that has a lower "cost". The IP packets for services with this
priority are marked with a TOS value of 0x02. |
v |
Maximize-Reliability: Used when data needs to
travel to the destination over a reliable link and with little or no
retransmission. The IP packets for services with this priority are marked with a
TOS value of 0x04. |
v |
Maximize-Throughput: Used when the volume of data
transferred during an interval is important even if the latency over the link is
high. The IP packets for services with this priority are marked with a TOS value
of 0x08. |
v |
Minimize-Delay: Used when the time required
(latency) for the packet to reach the destination must be low. The IP packets
for services with this priority are marked with a TOS value of 0x10. |
|
Log: Specifies whether the packets for this rule
should be logged or not. To log details for all packets that match this rule,
select
Always. Select
Never to disable logging.
For example, if an outbound rule for a schedule is selected as
Block
Always, then for every packet that tries to make an
outbound connection for that service, a message with the packet’s source address
and destination address, along with other information will be recorded in the
log.
Note: Enabling logging may generate a significant number of log messages and is
recommended for debugging purposes only. |
The actions that can be performed on the rules listed in the Rules table are: |
Edit: Modify the configuration of the selected
rule. |
Select All: Selects all the rules in the table. |
Delete: Deletes the selected policy or policies. |
Enable: Enables the selected rule or rules. |
Disable: Disables the selected rule or rules. |
Add: Add a new rule. |
Inbound Services |
This table lists all the existing rules for incoming traffic. A rule is defined
by the following fields: |
! (Status): A rule can be disabled if not in use
and enabled as needed. A rule is disabled if the status light is grey and it is
enabled if the status light is green. Disabling a rule does not delete the
configuration, but merely de-activates the rule. |
Service Name: This is a unique name assigned to the
service. The name usually indicates the type of traffic the rule covers such as
ftp, ssh, telnet, ping, etc. Services not already in the list can be are added
on the
Services page. |
Filter: Defines an action to be taken on the
enabled rule. It can be: |
v |
Block Always: Block selected service at all times. |
v |
Enable Always: Allow selected service to pass
through at all times. |
v |
Block by schedule, otherwise allow: Works in
conjunction with a schedule defined in the
Schedule 1/2/3 pages. Selected service will be
blocked during the scheduled interval and will be allowed to pass through at
other times. |
v |
Allow by schedule, otherwise block: Works in
conjunction with a schedule defined in the
Schedule 1/2/3 pages. Selected service will be
allowed to pass through during the scheduled interval and will be blocked at
other times. |
|
LAN Server IP Address: An IP address and port
number of a machine on the LAN which is hosting the server. It is displayed in
the form:
<IP address:port number>.
For example, if a machine with an IP address of 192.168.1.100 on the LAN side is
running a telnet server on port 2000, then the table will display
192.168.10.100:2000. If the telnet server is running on the default port (port
23), then the table will display only the IP address. |
Destination LAN Users: Specifies whether one or
more IP addresses on the LAN will be affected by the rule. This field is only
enabled when in routing mode since the LAN is accessible only in this mode. |
v |
Any: All computers on the LAN will be affected by
the rule. |
v |
Single Address: A single IP address on the LAN will
be affected by the rule. |
v |
Address Range: A range of IP addresses on the LAN
will be affected by the rule. |
v |
Group: Computers that are part of the Group defined
in the Network Database will be affected by the rule (groups are defined under
the Network Configuration menu, LAN Groups page on the Edit Group Names tab). |
|
WAN Users: Specifies whether all Internet addresses
or specific IP addresses are included in the rule. |
v |
Any: All IP addresses on the Internet will be affected by the rule. |
v |
Single Address: A single Internet IP address that
is affected by the rule. |
v |
Address Range: A range of IP addresses that are
affected by the rule. |
|
Destination: The WAN IP address that will map to
the incoming server. It can either be the address of the WAN1 or WAN2 port* or
another WAN IP address.
Note: This field is only enabled under NAT mode since the router needs to
map traffic coming from a particular WAN port to a LAN machine.
*Your router may have a single WAN port. Please refer to the online Reference
Manual for details. |
Priority: The priority assigned to IP packets of
this service. The priorities are defined by "Type of Service (TOS) in the
Internet Protocol Suite" standards, RFC 1349. The router marks the Type Of
Service (TOS) field as defined below: |
v |
Normal-Service: No special priority given to the
traffic. The IP packets for services with this priority are marked with a TOS
value of 0x00. |
v |
Minimize-Cost: Used when data must be transferred
over a link that has a lower "cost". The IP packets for services with this
priority are marked with a TOS value of 0x02.
|
v |
Maximize-Reliability: Used when data needs to
travel to the destination over a reliable link and with little or no
retransmission. The IP packets for services with this priority are marked with a
TOS value of 0x04.
|
v |
Maximize-Throughput: Used when the volume of data
transferred during an interval is important even if the latency over the link is
high. The IP packets for services with this priority are marked with a TOS value
of 0x08. |
v |
Minimize-Delay: Used when the time required
(latency) for the packet to reach the destination must be low. The IP packets
for services with this priority are marked with a TOS value of 0x10. |
|
Log: Specifies whether the packets this rule
should be logged or not. To log details for all packets that match this rule,
select
Always. Select
Never to disable logging.
For example, if an inbound rule for a schedule is selected as
Block
Always, then for every packet that tries to make an
inbound connection for that service, a message with the packet’s source and
destination addresses, along with other information will be recorded in the log.
Enabling logging may generate a significant volume of log messages and is
recommended for debugging purposes only. |
The actions that can be taken on rules are: |
Edit: Modifies the configuration of the selected
rule. |
Select All: Selects all the rules in the table. |
Delete: Delete the selected policy or policies. |
Enable: Enables the selected rule or rules listed
in the table. |
Disable: Disables the selected rule or rules listed
in the table. |
Add: Adds a new rule. |
Note: Inbound firewall rule takes the precedence over the device services. |
|
|