Security |
 |
|
DMZ WAN Rules |
Firewall rules for traffic between the DMZ and the WAN/Internet may be defined
on this page. |
All inbound and outbound DMZ traffic is blocked by default. To allow traffic, a
firewall rule for each service must be added. |
Outbound Services |
This table lists all the existing rules for outgoing traffic. A rule is defined
by the following fields: |
! (Status): A rule can be disabled if not in use
and enabled as needed. A rule is disabled if the status light is grey and it is
enabled if the status light is green. Disabling a rule does not delete the
configuration, but merely de-activates the rule. |
Service
Name: This is a unique name assigned to the
service. The name usually indicates the type of traffic the rule covers such
ftp, ssh, telnet, ping, etc. Services not already on the list can be added on
the
Services page under the
Security menu. |
Filter: Defines an action to be taken on the
enabled rule. It can be: |
v |
Block
Always: Block selected service at all times. |
v |
Allow Always: Allow selected service to pass
through at all times. |
v |
Block by schedule, otherwise allow: Works in
conjunction with a schedule defined in the
Schedule 1/2/3 pages. The selected
service will be blocked during the scheduled interval and will be allowed to
pass through at other times. |
v |
Allow by schedule, otherwise block: Works in
conjunction with a schedule defined in the
Schedule 1/2/3 pages. The selected
service will be allowed to pass through during the scheduled interval and will
be blocked at other times. |
|
DMZ
Users: Specifies whether one or more IP Addresses
on the DMZ network will be affected by the rule. This rule will affect packets
for the selected service from the defined IP address or range of IP addresses on
the DMZ network. |
v |
Any: All computers on the DMZ network will be
affected by the rule. |
v |
Single
Address: A single IP address on the DMZ network
will be affected by the rule. |
v |
Address
Range: A range of IP addresses on the DMZ network
will be affected by the rule. |
|
WAN
Users: Specifies whether one or more IP addresses
on the WAN will be affected by the rule. This rule will affect packets for the
selected service to the defined IP address or range of IP addresses on the WAN
side. |
v |
Any: All IP addresses on the WAN will be affected
by the rule. |
v |
Single
Address: A single WAN will be affected by affected
by the rule. |
v |
Address
Range: A range of IP addresses on the WAN will be
affected by the rule. |
|
Priority: The priority assigned to IP packets of
this service. The priorities are defined by “Type of Service (TOS) in the
Internet Protocol Suite” standards, RFC 1349. The router marks the Type Of
Service (TOS) field as defined below: |
v |
Normal-Service: No special priority given to the
traffic. The IP packets for services with this priority are marked with a TOS
value of 0x00. |
v |
Minimize-Cost: Used when data must be transferred
over a link that has a lower "cost". The IP packets for services with this
priority are marked with a TOS value of 0x02. |
v |
Maximize-Reliability: Used when data needs to
travel to the destination over a reliable link and with little or no
retransmission. The IP packets for services with this priority are marked with a
TOS value of 0x04.
|
v |
Maximize-Throughput: Used when the volume of data
transferred during an interval is important even if the latency over the link is
high. The IP packets for services with this priority are marked with a TOS value
of 0x08. |
v |
Minimize-Delay: Used when the time required
(latency) for the packet to reach the destination must be low. The IP packets
for services with this priority are marked with a TOS value of 0x10. |
|
Log: Specifies whether the packets for this rule
should be logged or not. To log details for all packets that match this rule,
select
Always. Selecting
Never disables logging.
For example, if an outbound rule for a schedule is selected as
Block Always, then for every packet that tries to
make an outbound connection for that service, a message with the packet’s source
address and destination address (and other information) will be recorded in the
log. Enabling logging may generate a significant volume of log messages and is
recommended for debugging purposes only. |
The actions that can be taken on the Rules listed in the table are: |
Edit: Modifies the configuration of the selected
rule. |
Select All: Selects all the rules in the table. |
Delete: Deletes the selected policy or policies. |
Enable: Check the radio box next to one or more
rules listed in the table and click
Enable to enable the rule. |
Disable: Check the radio box next to one or more
rules listed in the table and click
Disable to disable a rule. |
Add: Adds a new rule. |
Inbound Services |
This table lists all the existing rules for incoming traffic. A rule is defined
by the following fields: |
! (Status): A rule can be disabled if not in use
and enabled as needed. A rule is disabled if the status light is grey and it is
enabled if the status light is green. Disabling a rule does not delete the
configuration, but merely de-activates the rule. |
Service
Name: This is a unique name assigned to the
service. The name usually indicates the type of traffic the rule covers such
ftp, ssh, telnet, ping, etc. Services not already in the list can be added on
the
Services page under the
Security menu. |
Send to DMZ IP Address: Specifies an IP address and port number of a machine on
the DMZ network which is hosting the server. It is displayed in the form
<IP address:port number>.
For example, if a machine with an IP address of 192.168.10.100 on the DMZ side
is running a telnet server on port 2000, then this section will show
192.168.10.100:2000. If the telnet server is running on the default port (port
23), then this section will only show the IP address. |
Filter: Defines an action to be taken on the
enabled rule. It can be: |
v |
Block
Always: Block selected service at all times. |
v |
Allow Always: Allow selected service to pass
through at all times. |
v |
Block by schedule, otherwise allow: Works in
conjunction with a schedule defined in the
Schedule 1/2/3 pages. The selected service will be
blocked during the scheduled interval and will be allowed to pass through at
other times. |
v |
Allow by schedule, otherwise block: Works in
conjunction with a schedule defined in the
Schedule 1/2/3 pages. The selected service will be
allowed to pass through during the scheduled interval and will be blocked at
other times. |
|
DMZ
Users: Specifies whether one or more IP address on
the DMZ network will be affected by the rule. This field is only populated in
routing mode since the DMZ network is accessible only in this mode. |
v |
Any: All computers on the DMZ network will be
affected by the rule. |
v |
Single
Address: A single IP address on the DMZ network
will be affected by the rule. |
v |
Address
Range: A range of IP addresses on the DMZ network
will be affected by the rule. |
|
WAN
Users: Specifies whether one or more IP addresses
on the WAN will be affected by the rule. This rule will affect packets that are
transferred for the selected service to the IP address or range of IP addresses
on the WAN side. |
v |
Any: All IP addresses on the WAN will be affected
by the rule. |
v |
Single
Address: A single WAN IP address will be affected
by the rule. |
v |
Address
Range: A range of WAN IP addresses will be affected
by the rule. |
|
Destination: The WAN IP address that will map to
the incoming server. It can either be the address of the WAN1 or WAN2 ports or
another WAN IP address. This field is only populated under NAT mode because the
router needs to map traffic coming from a particular WAN port to a DMZ machine. |
Priority: The priority assigned to IP packets of
this service. The priorities are defined by “Type of Service (TOS) in the
Internet Protocol Suite” standards, RFC 1349. The router marks the Type Of Service (TOS) field as defined below: |
v |
Normal-Service: No special priority given to the traffic. The IP packets for services with this priority are marked with a TOS value of 0. |
v |
Minimize-Cost: Used when data must be transferred over a link that has a lower "cost". The IP packets for services with this priority are marked with a TOS value of 1.
|
v |
Maximize-Reliability: Used when data needs to travel to the destination over a reliable link and with little or no retransmission. The IP packets for services with this priority are marked with a TOS value of 2.
|
v |
Maximize-Throughput: Used when the volume of data transferred during an interval is important even if the latency over the link is high. The IP packets for services with this priority are marked with a TOS value of 4. |
v |
Minimize-Delay: Used when the time required (latency) for the packet to reach the destination must be low. The IP packets for services with this priority are marked with a TOS value of 8. |
|
Log: Specifies whether the packets for this rule
should be logged or not. To log details for all packets that match this rule,
select
Always. Select
Never to disable logging.
For example, if an inbound rule for a schedule is selected as
Block Always, then for every packet that tries to
make an outbound connection for that service, a message with the packet’s source
and destination addresses (and other information) will be recorded in the log.
Enabling logging may generate a significant volume of log messages and is
recommended for debugging purposes only. |
The actions that can be taken on the Rules listed in the table are: |
Edit: Modifies the configuration of the selected
rule. |
Select
All: Selects all the rules in the table. |
Delete: Deletes the selected policy or policies. |
Enable: Check the radio box next to one or more
rules listed in the table and click
Enable to enable the rule. |
Disable: Check the radio box next to one or more
rules listed in the table and click
Disable to disable a rule. |
Add: Adds a new rule. |
|