D-Link DFL-200 manual Firewall, Policy modes, Action Types

Page 27

Firewall

Policy

The Firewall Policy configuration section is the "heart" of the firewall. The policies are the primary filter that is configured to allow or disallow certain types of network traffic through the firewall.

When a new connection is being established through the firewall, the policies are evaluated, top to bottom, until a policy that matches the new connection is found. The Action of the rule is then carried out. If the action is Allow, the connection will be established and a state representing the connection is added to the firewall's internal state table. If the action is Drop, the new connection will be refused. The section below will explain the meanings of the various action types available.

Policy modes

The first step in configuring security policies is to configure the mode for the firewall. The firewall can run in NAT or No NAT (Route) mode. Select NAT mode to use DFL-1000 network address translation to protect private networks from public networks. In NAT mode, you can connect a private network to the internal interface, a DMZ network to the dmz interface, and a public network, such as the Internet, to the external interface. Then you can create NAT mode policies to accept or deny connections between these networks. NAT mode policies hide the addresses of the internal and DMZ networks from users on the Internet. In No NAT (Route) mode you can also create routed policies between interfaces. Route mode policies accept or deny connections between networks without performing address translation. To use NAT mode select Hide source addresses (many-to-one NAT) and to use No NAT (Route) mode choose No NAT.

Action Types

Drop – Packets matching Drop rules will immediately be dropped. Such packets will be logged if logging has been enabled in the Logging Settings page.

Reject – Reject works in basically the same way as Drop. In addition to this, the firewall sends an ICMP UNREACHABLE message back to the sender or, if the rejected packet was a TCP packet, a TCP RST message. Such packets will be logged if logging has been enabled in the Logging Settings page.

Allow – Packets matching Allow rules are passed to the stateful inspection engine, which will remember that a connection has been opened. Therefore, rules for return traffic will not be required as traffic belonging to open connections is automatically dealt with before it reaches the policies. Logging is carried out if audit logging has been enabled in the Logging Settings page.

Image 27
Contents Link DFL-200 Contents VPN Servers 111 125 122Introduction to Firewalls Features and BenefitsAccess Control supported IntroductionIntroduction to Local Area Networking Physical Connections LEDsSystem Requirements Package ContentsManaging D-Link DFL-200 Resetting the DFL-200Administrative Access Administration SettingsAdd Admin access to an interface Add ping access to an interfaceEnable Snmp access to an interface Add Read-only access to an interfaceSystem InterfacesChange IP of the LAN or DMZ interface WAN Interface Settings Using Static IP WAN Interface Settings Using DhcpIP Address The IP address of the WAN interface. This is Password WAN Interface Settings Using PPPoEWAN Interface Settings Using Pptp WAN Interface Settings Using BigPond MTU ConfigurationPassword The password supplied to you by your ISP Routing Add a new Static Route Remove a Static RouteGo to System and Routing Logging Enable Logging Enable Audit LoggingEnable E-mail alerting for ISD/IDP events Page Time Checking the Set the system time box Using NTP to sync timeSetting time and date manually Changing time zoneAction Types FirewallPolicy Policy modesService Filter Source and Destination FilterSchedule Add a new policy Intrusion Detection / PreventionChange order of policy Configure Intrusion DetectionEnable the Delete policy checkbox Enable the Intrusion Detection / Prevention checkboxConfigure Intrusion Prevention Add a new mapping Port mapping / Virtual ServersDelete mapping Enable the Delete mapping checkboxDFL-200 Radius Support UsersEnable Radius Support Enable User Authentication via Http / HttpsChange User Password Enable the Change password checkboxAdd User Delete User Enable the Delete user checkboxAdd new recurring schedule SchedulesAdding TCP, UDP or TCP/UDP Service ServicesAdding IP Protocol Grouping ServicesProtocol-independent settings Introduction to IPSec VPNIntroduction to Pptp Introduction to L2TPPoint-to-Point Protocol MPPE, Microsoft Point-To-Point Encryption Authentication ProtocolsL2TP/PPTP Clients Authentication protocolL2TP/PPTP Servers Authentication Protocol Introduction chapterMppe encryption Creating a LAN-to-LAN IPSec VPN Tunnel VPN between two networksCreating a Roaming Users IPSec VPN Tunnel VPN between client and an internal networkAdding a L2TP/PPTP VPN Server Adding a L2TP/PPTP VPN ClientVPN Advanced Settings Proposal Lists IKE Proposal ListIPSec Proposal List Certificates of remote peers CertificatesTrusting Certificates Local identitiesIdentities Active content handling Content FilteringEdit the URL Global Whitelist Edit the URL Global Blacklist Active content handling Servers Dhcp Server SettingsEnable by checking the Use built-in Dhcp Server box Enable Dhcp ServerEnable Dhcp Relay Disable Dhcp Server/RelayerDNS Relayer Settings Enable DNS RelayerEnable by checking the Enable DNS Relayer box Disable DNS Relayer Ping ToolsAdd Dynamic DNS Settings Dynamic DNSPing Example Backup Exporting the DFL-200’s ConfigurationRestoring the DFL-200’s Configuration Restarting the DFL-200 Restart/ResetRestoring system settings to factory defaults Page Upgrade Upgrade FirmwareUpgrade IDS Signature-database Status SystemCPU Load Interfaces VPN Click Connections below it. a window will ConnectionsDhcp Server Logging Conn events How to read the logsUsage events Drop eventsClose Example Open ExampleStep by step guides LAN IP 192.168.4.1, Subnet mask LAN-to-LAN VPN using IPsecRemote Net 192.168.1.0/24 Enable Automatically add a route for the remote networkLocal net 192.168.1.0/24 LAN IP 192.168.1.1, Subnet maskRemote Net 192.168.4.0/24 LAN-to-LAN VPN using Pptp Username BranchOffice Click Global policy parameters Settings for Main office Page Under Users in local database click Add new Select Local databasePage LAN-to-LAN VPN using L2TP Username BranchOffice Check Use IPsec encryption Setup interfaces, System-Interfaces WAN IP193.0.2.20 Page Select Local database Under Users in local database click Add new More secure LAN-to-LAN VPN solution Page Page Settings for Main office Windows XP client and Pptp server Settings for the Windows XP clientSelect Connect to the network at my workplace and click Next Select Virtual Private Network connection and click Next Name the connection MainOffice and click Next 104 Select Do not dial the initial connection and click Next Page Click Properties Page Name the new user HomeUser Enter password Retype password Page Windows XP client and L2TP server 112 Settings for Main office Page Content filtering Select HTTP/HTML Content Filtering in the ALG dropdown Firewall-ServicesPage Page Intrusion detection and prevention Page Check Enable E-mail alerting for IDS/IDP events Appendix a Icmp Types and Codes AppendixesPage ESP Appendix B Common IP Protocol NumbersLimited Warranty What Is Not Covered Wichtige Sicherheitshinweise Attenzione CE Mark WarningWarnung Advertencia de Marca de la CEVcci Warning Offices Singapore D-LINK International 132
Related manuals
Manual 14 pages 8.62 Kb Manual 12 pages 24 Kb