DMZ Firewall Solution for the Express Router
Filters are defined as follows:
Filter
Function
Settings
— | Pass all packets destined for DMZ | Default Action: | Pass |
1 | Prevents RIP updates from entering the | Action: | Discard |
| DMZ network | Protocol: | UDP |
|
| Dest. address type: | All |
|
| Dest. port: | RIP |
|
| Src. address type: | All |
|
| Src. port: | All |
2 | Prevents tunnel packets from entering | Action: | Discard |
| the DMZ network | Protocol: | TCP |
|
| Dest. address type: | All |
|
| Dest. port: | Tunnel |
|
| Src. address type: | All |
|
| Src. port: | All |
3 | Prevents RSVP packets from entering | Action: | Discard |
| the DMZ network/router. | Protocol: | RSVP |
|
| Dest. address type: | All |
| Three separate filters are required. | Dest. port : | All |
|
| Src. address type: | All |
|
| Src. port : | All |
4 |
| Action: | Discard |
|
| Protocol: | UDP |
|
| Dest. address type: | All |
|
| Dest. port : | = 1698 |
|
| Src. address type: | All |
|
| Src. port : | All |
5 |
| Action: | Discard |
|
| Protocol: | UDP |
|
| Dest. address type: | All |
|
| Dest. port : | = 1699 |
|
| Src. address type: | All |
|
| Src. port : | All |
6 | Prevents BootP updates from entering | Action: | Discard |
| the DMZ network/router. | Protocol: | UDP |
|
| Dest. address type: | All |
|
| Dest. port: | 67 |
|
| Src. address type: | All |
|
| Src. port: | All |
7 | Prevents Syslog updates from entering | Action: | Discard |
| the DMZ network/router | Protocol: | UDP |
|
| Dest. address type: | All |
|
| Dest. port: | = 514 |
|
| Scr. address type: | All |
|
| Src. port : | All |
8 | Discards all packets that spoof (or fake) | Action: | Discard |
| the IP address of the router on LAN1. | Protocol: | UDP |
| This is necessary since these packets | Dest. address type: | All |
| will pass the Tx filter on LAN1. | Dest. port: | All |
Version 1.0 | 11 |