Firewall Tutorial, General ﬁrewall terms, 146 | Netopia 2200

Firewall Tutorial

General ﬁrewall terms

☛Note:

Breakwater Basic Firewall (see “BreakWater Basic Firewall” on page 125) does not make use of the packet ﬁlter support and can be used in addition to ﬁltersets

Filter rule: A ﬁlter set is comprised of individual ﬁlter rules.

Filter set: A grouping of individual ﬁlter rules.

Firewall: A component or set of components that restrict access between a protected net- work and the Internet, or between two networks.

Host: A workstation on the network.

Packet: Unit of communication on the Internet.

Packet ﬁlter: Packet ﬁlters allow or deny packets based on source or destination IP addresses, TCP or UDP ports.

Port: A number that deﬁnes a particular type of service.

Basic IP packet components

All IP packets contain the same basic header information, as follows:

Source IP Address	163.176.132.18
Destination IP Address	163.176.4.27
Source Port	2541
Destination Port	80

146

Image 146

Netopia 2200 manual Firewall Tutorial, General ﬁrewall terms, Basic IP packet components, 146

Contents

Netopia Software User Guide Copyright Table of Contents Expert Mode Security 146 Basic Troubleshooting Command Line Interface 221 Table of Contents Glossary Overview of Major Capabilities Index Introduction What’s New About Netopia Documentation Intended Audience General Command Line InterfaceDocumentation Conventions Internal Web Interface Bold terminal type User-entered text face Organization Word About Example ScreensPage Basic Mode Setup Important Safety Instructions Power Supply Installation Bewahren Sie diese Anweisungen auf Wichtige SicherheitshinweiseAchtung Setting up the Netopia Gateway Microsoft Windows Then go to Step Macintosh MacOS 8 or higher or Mac OS Proceed to Conﬁguring the Netopia Gateway on Conﬁguring the Netopia Gateway MiAVo Vdsl and Ethernet WAN models Quickstart Click the Connect to the Internet button PPPoE Quickstart Configuring the Netopia Gateway Netopia Gateway Status Indicator Lights Home Page Basic Mode DNS Link Manage My Account Link Status Details Link Enable Remote Management Link Expert Mode Link Update Firmware Link Factory Reset Accessing the Expert Web Interface Open the Web ConnectionPage Home Page Expert Mode Field Status and/or Description Home Page InformationSummary Information Dhcp Link Breadcrumb Trail ToolbarNavigating the Web Interface Restart Button Restart Link Alert Symbol Help Button Help Link Quickstart ConﬁgureButton Conﬁgure Click Connect to the Internet Link LAN Configure Page Wireless supported models Privacy Configure Page Advanced Page About Closed System Mode Page Examples WPA Version Allowed Multiple SSIDs Wireless MAC Authorization Page Configure Use Radius Server Advanced Network Conﬁguration page appears Other WAN Options WAN IP InterfacesIP Gateway Available Encapsulation types Available Multiplexing types Sustained Cell Rate SCR Class Transmit Priority Comments Link Advanced Link IP Static Routes IP Static Route Entry page appearsPage Link IP Static ARP Link Pinholes TCP Tips for making Pinhole Entries Gateway Pinhole Conﬁguration Procedure. Use the following steps Page Configure Link IPMaps Ple static 192.168.1.1 IPMaps Block DiagramNetopia Gateway WAN Interface LAN Interface 192.168.1.2 Link Default Server Internet Gateway NAT LAN STN #2 Configure Page Link Differentiated Services Page QoS Setting TOS Bit Value Behavior Link DNS Link Dhcp Server Configure Link Radius Server Link Snmp Page Link Igmp Internet Group Management Protocol Page Configure Link UPnP 100 Link LAN Management 101 Link Advanced Ethernet Bridge 102 Conﬁguring for Bridge Mode 103 Enable Concurrent Bridging/Routing checkbox 104 105 Link Vlan 106 107 Vlan Port Conﬁguration screen appears Enable Multiple Wireless IDs on108 109 110 Link Syslog Parameters 111 112 113 Administration Related Log MessagesLog Event Messages System Log Messages DSL Log Messages most common Access-related Log Messages114 115 Mented packet 116 Link Internal ServersLink Software Hosting 117 List of Supported Games and Software 118 FTP Rename a UserPC 119 Link Clear Options 120 Link Time Zone 121 122 SecurityButton Security Link Passwords 123 124 125 Conﬁguring for a BreakWater SettingLink Firewall Use a Netopia Firewall 126 Basic Firewall Background 127Tips for making your BreakWater Basic Firewall Selection BreakWater Setting ClearSailing SilentRunning LANdLocked 128 129 Link IPSec 130 SafeHarbour IPSec VPN 131 132 Conﬁguring a SafeHarbour VPN IPSec Tunnel Details Parameter Setup Worksheet 133 134 Parameter Descriptions on page 136 as required 135 Make the Tunnel Details entries Field Description 136Parameter Descriptions 137 PAT Address 138 Soft MBytes 139 140 Stateful Inspection Firewall installation procedureLink Stateful Inspection Exposed Addresses 141 142 143 Stateful Inspection Options 144 Port Protocol Description LAN Private WAN Public Interface Open Ports in Default Stateful Inspection Installation145 Basic IP packet components Firewall TutorialGeneral ﬁrewall terms 146 Basic protocol types 147 148 Example TCP/UDP Ports TCP Port ServiceFirewall design rules Firewall Logic 149 Implied rules 150 Example ﬁlter set What it means Filter basics151 Example network Example Example ﬁlters152 153 Link Packet Filter 154 155 What’s a ﬁlter and what’s a ﬁlter set?How ﬁlter sets work Filter priority How individual ﬁlters work156 Parts of a ﬁlter 157ﬁltering rule Port number comparisons 158Port numbers Putting the parts together 159Other ﬁlter attributes 160 Filtering example #1 161 162 Filtering example #2 163 An approach to using ﬁltersDesign guidelines 164 Working with IP Filters and Filter SetsAdding a ﬁlter set Adding ﬁlters to a ﬁlter set 165 166 Netopia Router 167 168 Enter the Source Mask for the source IP address 169 Viewing ﬁlters Modifying ﬁlters Deleting a ﬁlter set170 Deleting ﬁlters Associating a Filter Set with an Interface 171 172 173 Policy-based Routing using FiltersetsTOS ﬁeld matching 174 175 176 Using the Security Monitoring LogLink Security Log 177 178 Timestamp Background 179 InstallButton Install Link Install Software 180 181 Required FilesNetopia ﬁrmware Image File Click the Install Software button 182 183 Verify the Netopia Firmware Release Obtaining Software Feature Keys Link Install KeysUse Netopia Software Feature Keys Procedure Install a New Feature Key File 185 To check your installed features 186 187 Link Install Certiﬁcate 188 189 190 Basic Troubleshooting 191 Action Status Indicator Lights192 Ethernet 193 Ethernet 1, 2, 3 Wireless 194 195 DSL Sync 196 197 Special patterns 198 LAN 1, 2, 3 199 DSL Sync Front View 200 LED Function Summary Matrix 201 Active 202EN Link Unlit Link Factory Reset Switch 203 3347W/3357W 3397GP2247NWG 2240N Advanced Troubleshooting 205 Home 206 207 Status of Connection 208 Expert ModeButton Troubleshoot Link System Status 209 Link Ports Ethernet 210 Link Ports DSL 211 Link IP Interfaces 212 Link DSL Circuit Conﬁguration 213 Link System Log Entire 214 Link Diagnostics 215 Link Network Tools 216 217 218 If Ping is not successful, possible causes are 219 220 Command Line Interface 221 Overview 222 Keywords Command Verbs Status and/or Description223 Ending a CLI Session Starting and Ending a CLI SessionLogging 224 Saving Settings Using the CLI Help FacilityAbout Shell Commands Shell Command Shortcuts Shell Commands Common Commands Download -cert serveraddress ﬁlename conﬁrm DiagnoseDownload serveraddress ﬁlename conﬁrm 227 Loglevel level Install serveraddress ﬁlename conﬁrmLicense key 228 229 NetstatNetstat -r Reset crash Reset arpReset atm Reset dhcp server Reset security-log Reset ipmapReset log Reset wan-users all ip-address Show crash Show featuresShow conﬁg Show dhcp agent Show ip ipsec Show ip igmpShow ip interfaces Show ip ﬁrewall Show log Show wireless allShow wireless clients MACaddress Show memory all Who Upload serveraddress ﬁlename conﬁrmView conﬁg 235 WAN Commands Navigating the Config Hierarchy About Config CommandsConfig Mode Prompt Netopia-3000/9437188 top quit 238 Set ip ethernet a Entering Commands in Config ModeSet ip ethernet a ipaddress 239 Step Mode a CLI Conﬁguration Technique Guidelines Config CommandsDisplaying Current Gateway Settings 240 Validating Your Conﬁguration 241 Config Commands DSL Commands Set atm vcc n vpi 0 Set atm vcc n qos sustained-cell-rate 1 ...nSet atm vcc n qos max-burst-size 1 ...n Set atm vcc n vci 0 Set bridge sys-bridge on off Bridging SettingsSet atm vccn pppoe-sessions 1 Set bridge concurrent-bridging-routing on off Set bridge ethernet option on off Set bridge table-timeout 30Dhcp Settings Set bridge dsl vccn option on off Set dhcp lease-time lease-time Set dhcp start-address ipaddressSet dhcp end-address ipaddress Set dhcp server-address ipaddress Set dmt metallic-termination auto disabled alwayson DMT SettingsSet dmt wiringMode auto tipring AA1 Set dmt autoConﬁg off on Set dns domain-name domain-name Domain Name System SettingsSet dns proxy-enable Set dns primary-address ipaddress Set igmp robustness value Igmp SettingsSet igmp snooping off on Set igmp query-intvl value Set ip option on off IP SettingsSet ip arp-timeout 60 Set ip dsl vccn address ipaddress Set ip dsl vccn addr-mapping on off Set ip dsl vccn restriction admin-disabled noneSet ip dsl vccn netmask netmask Set ip dsl vccn rip-send off v1 v2 v1-compat v2-MD5 Set ip ethernet a address ipaddress Set ip dsl vccn rip-receive Off v1 v2 v1-compat v2-MD5Set ip ethernet a option on off Set ip ethernet a broadcast broadcastaddress Set ip ethernet a rip-send Off v1 v2 v1-compat v2-MD5 Set ip ethernet a restrictions none admin-disabledSet ip ethernet a netmask netmask 253 Set ip gateway interface ip-address ppp-vccn Set ip ethernet a rip-receive off v1 v2 v1-compat v2-MD5Set ip gateway option on off Set ip ip-ppp vccn option on off Set ip ip-ppp vccn peer-address ipaddress Set ip ip-ppp vccn restriction admin-disabled noneSet ip ip-ppp vccn address ipaddress Set ip ip-ppp vccn addr-mapping on off 256 Set ip ip-ppp vccn rip-send off v1 v2 v1-compat v2-MD5Set ip ip-ppp vccn rip-receive off v1 v2 v1-compat v2-MD5 Set ip ipsec-passthrough off on Set ip static-arp ip-addressipaddressSet ip igmp-forwarding off on 257 Set diffserv lohi-ratio 60 100 percent Set ip prioritize off onSet diffserv option off on 258 259 260 Set ip sip-passthrough on offSet ip static-routes destination-networknetaddress Delete ip static-routes destination-network netaddress 261 IPMaps Settings Network Address Translation NAT Default Settings Set pinhole name name Set nat-default host-hardware-address MACaddressNetwork Address Translation NAT Pinhole Settings Set pinhole name name protocol-select tcp udp PPPoE /PPPoA Settings Set ppp module vccn protocol-compression on off Set ppp module vccn mru integerSet ppp module vccn magic-number on off Set ppp module vccn lcp-echo-requests on off Set ppp module vccn terminate-max integer Set ppp module vccn restart-timer integerSet ppp module vccn conﬁgure-max integer Set ppp module vccn connection-type instant-on always-on Ethernet Port Settings Set ppp module vccn port-authentication username usernameSet ppp module vccn port-authentication password password Command Line Interface Preference Settings Set preference more lines 268 Set servers telnet-tcp 1 Port Renumbering SettingsSet servers web-http 1 269 Set security ipsec tunnels name Security SettingsSet security ipsec option off on off 270 Set security ipsec tunnels name 123 tun-enable on on off 271 Set security ipsec tunnels name 123 IKE-mode DH-group 1 1 2 272 Set security ipsec tunnels name 123 nat-enable on off Set security ipsec tunnels name 123 xauth enable off onSet security ipsec tunnels name 123 xauth password password Set security ipsec tunnels name 123 xauth username username 274 Set security ipsec tunnels name 123 local-id idvalueSet security ipsec tunnels name 123 remote-id idvalue 275 Set security state-insp tcp-timeout 30 276 277 Set security state-insp udp-timeout 30Set security state-insp xposed-addr exposed-address# n Packet Filtering Settings 278 279 280 281 Snmp Settings Set system name name System SettingsSet snmp notify type v1-trap v2-trap inform 283 Set system log-size 10240 Set system idle-timeout telnet 1...120 http 1Set system username administrator name user name Set system persistent-log off on 285 Set system password admin userSleep Contact-email string@domainname location string 286 287 Set system zerotouch option on offSet system zerotouch redirect-url redirection-URL Syslog 289 Set security state-insp eth B option on Wireless Settings supported models 291 Set wireless mode both-b-and-g b-only g-onlySet wireless multi-ssid option on off 292 293 Set wireless no-bridging off onSet wireless tx-power full medium fair low minimal 294 Set wireless network-id privacy pre-shared-key stringSet wireless network-id privacy default-keyid Example 256bit key 295Example 40bit key 02468ACE02 Set radius radius-secret sharedsecret Set wireless mac-auth option on offSet radius radius-name servernamestring Set radius alt-radius-name servernamestring 297 Set radius radius-port portnumberSet vlan name string 298 To make the Vlan vlan1 routable add the port lan-uplink 299 Set upnp option on offSet dslf-lanmgmt option off on 300 301 Vdsl Settings 302 Vdsl Parameter Defaults 303 304 Vdsl Parameters Accepted Values 305 Parameter 306 Etsi M2 CAB 307 308 309 310 Glossary 311 312 313 314 315 316 Ethernet crossover cable. See crossover cable 317 318 319 320 321 322 323 324 325 326 Description 327 328 Software and protocols North America Agency approvals329 International Manufacturer’s Declaration of Conformance 330 331 Declaration for Canadian users Telecommunication installation cautions Important Safety InstructionsAustralian Safety Information 332 CFR Part 68 Information 333 Electrical Safety Advisory 334 Overview of Major Capabilities 335 Instant-On PPP Wide Area Network TerminationPPPoE/PPPoA Point-to-Point Protocol over Ethernet/ATM 336 DNS Proxy Simpliﬁed Local Area Network SetupDhcp Dynamic Host Conﬁguration Protocol Server 337 Embedded Web Server DiagnosticsManagement 338 339 Remote Access ControlPassword Protection Network Address Translation NAT Netopia Gateway 340 Internal Servers Netopia Advanced Features for NAT341 Pinholes Combination NAT Bypass Conﬁguration Default Server342 VPN IPSec Pass Through 343IP-Passthrough Stateful Inspection Firewall 344VPN IPSec Tunnel Termination SSL Certiﬁcate Support Index 345 346 NAT 255, 262 347 NTP 348 349 350