What’s a ﬁlter and what’s a ﬁlter set?, 155 | Netopia 2200 manual

Firewall Tutorial

admit or refuse TCP/IP connections from certain remote networks and speciﬁc hosts. You will also use ﬁlters to screen particular types of connections. This is commonly called ﬁre- walling your network.

Before creating ﬁlter sets, you should read the next few sections to learn more about how these powerful security tools work.

What’s a ﬁlter and what’s a ﬁlter set?

A ﬁlter is a rule that lets you specify what sort of data can ﬂow in and out of your network. A particular ﬁlter can be either an input ﬁlter—one that is used on data (packets) coming in to your network from the Internet—or an output ﬁlter—one that is used on data (packets) going out from your network to the Internet.

A ﬁlter set is a group of ﬁlters that work together to check incoming or outgoing data. A ﬁl- ter set can consist of a combination of input and output ﬁlters.

How ﬁlter sets work

A ﬁlter set acts like a team of customs inspectors. Each ﬁlter is an inspector through which incoming and outgoing packages must pass. The inspectors work as a team, but each inspects every package individually.

Each inspector has a speciﬁc task. One inspector’s task may be to examine the destina- tion address of all outgoing packages. That inspector looks for a certain destination— which could be as speciﬁc as a street address or as broad as an entire country—and checks each package’s destination address to see if it matches that destination.

A ﬁlter inspects data packets like a customs inspector scrutinizing packages.

INSPECTOR

FROM:

APPROVET : D

FROM:

TO:

FROM:

TO:

155

Image 155

Netopia 2200 manual What’s a ﬁlter and what’s a ﬁlter set?, How ﬁlter sets work, 155

Contents

Netopia Software User Guide Copyright Table of Contents Expert Mode Security 146 Basic Troubleshooting Command Line Interface 221 Table of Contents Glossary Overview of Major Capabilities Index What’s New Introduction Intended Audience About Netopia Documentation Internal Web Interface Command Line InterfaceDocumentation Conventions General Bold terminal type User-entered text face Word About Example Screens OrganizationPage Basic Mode Setup Power Supply Installation Important Safety Instructions Bewahren Sie diese Anweisungen auf Wichtige SicherheitshinweiseAchtung Microsoft Windows Setting up the Netopia Gateway Then go to Step Macintosh MacOS 8 or higher or Mac OS Proceed to Conﬁguring the Netopia Gateway on Conﬁguring the Netopia Gateway Click the Connect to the Internet button MiAVo Vdsl and Ethernet WAN models Quickstart PPPoE Quickstart Configuring the Netopia Gateway Netopia Gateway Status Indicator Lights Home Page Basic Mode DNS Link Manage My Account Link Status Details Link Enable Remote Management Link Expert Mode Link Update Firmware Link Factory Reset Open the Web Connection Accessing the Expert Web InterfacePage Home Page Expert Mode Field Status and/or Description Home Page InformationSummary Information Dhcp Link Breadcrumb Trail ToolbarNavigating the Web Interface Button Restart Restart Link Alert Symbol Button Help Help Link Quickstart ConﬁgureButton Conﬁgure Click Connect to the Internet Link LAN Configure Page Wireless supported models Privacy Configure Page Advanced Page About Closed System Mode Page WPA Version Allowed Examples Multiple SSIDs Wireless MAC Authorization Page Configure Use Radius Server Advanced Network Conﬁguration page appears Other WAN Options WAN IP InterfacesIP Gateway Available Multiplexing types Available Encapsulation types Sustained Cell Rate SCR Transmit Priority Comments Class Link Advanced IP Static Route Entry page appears Link IP Static RoutesPage Link Pinholes Link IP Static ARP TCP Tips for making Pinhole Entries Gateway Pinhole Conﬁguration Procedure. Use the following steps Page Configure Link IPMaps Ple static 192.168.1.2 IPMaps Block DiagramNetopia Gateway WAN Interface LAN Interface 192.168.1.1 Link Default Server NAT LAN STN #2 Internet Gateway Configure Page Link Differentiated Services Page QoS Setting TOS Bit Value Behavior Link Dhcp Server Link DNS Configure Link Radius Server Link Snmp Page Link Igmp Internet Group Management Protocol Page Configure 100 Link UPnP 101 Link LAN Management 102 Link Advanced Ethernet Bridge 103 Conﬁguring for Bridge Mode 104 Enable Concurrent Bridging/Routing checkbox 105 106 Link Vlan 107 Vlan Port Conﬁguration screen appears Enable Multiple Wireless IDs on108 109 110 111 Link Syslog Parameters 112 System Log Messages Administration Related Log MessagesLog Event Messages 113 DSL Log Messages most common Access-related Log Messages114 Mented packet 115 116 Link Internal ServersLink Software Hosting List of Supported Games and Software 117 FTP 118 119 Rename a UserPC 120 Link Clear Options 121 Link Time Zone 122 SecurityButton Security 123 Link Passwords 124 Use a Netopia Firewall Conﬁguring for a BreakWater SettingLink Firewall 125 126 Basic Firewall Background 127Tips for making your BreakWater Basic Firewall Selection 128 BreakWater Setting ClearSailing SilentRunning LANdLocked 129 130 Link IPSec 131 SafeHarbour IPSec VPN Conﬁguring a SafeHarbour VPN 132 133 IPSec Tunnel Details Parameter Setup Worksheet Parameter Descriptions on page 136 as required 134 Make the Tunnel Details entries 135 Field Description 136Parameter Descriptions PAT Address 137 Soft MBytes 138 139 140 Stateful Inspection Firewall installation procedureLink Stateful Inspection 141 Exposed Addresses 142 143 144 Stateful Inspection Options Port Protocol Description LAN Private WAN Public Interface Open Ports in Default Stateful Inspection Installation145 146 Firewall TutorialGeneral ﬁrewall terms Basic IP packet components 147 Basic protocol types Firewall Logic Example TCP/UDP Ports TCP Port ServiceFirewall design rules 148 Implied rules 149 Example ﬁlter set 150 Example network Filter basics151 What it means Example Example ﬁlters152 153 154 Link Packet Filter 155 What’s a ﬁlter and what’s a ﬁlter set?How ﬁlter sets work Filter priority How individual ﬁlters work156 Parts of a ﬁlter 157ﬁltering rule Port number comparisons 158Port numbers Putting the parts together 159Other ﬁlter attributes Filtering example #1 160 161 Filtering example #2 162 163 An approach to using ﬁltersDesign guidelines 164 Working with IP Filters and Filter SetsAdding a ﬁlter set 165 Adding ﬁlters to a ﬁlter set Netopia Router 166 167 Enter the Source Mask for the source IP address 168 Viewing ﬁlters 169 Deleting ﬁlters Deleting a ﬁlter set170 Modifying ﬁlters 171 Associating a Filter Set with an Interface 172 173 Policy-based Routing using FiltersetsTOS ﬁeld matching 174 175 176 Using the Security Monitoring LogLink Security Log 177 Timestamp Background 178 179 InstallButton Install 180 Link Install Software 181 Required FilesNetopia ﬁrmware Image File 182 Click the Install Software button Verify the Netopia Firmware Release 183 Procedure Install a New Feature Key File Link Install KeysUse Netopia Software Feature Keys Obtaining Software Feature Keys 185 186 To check your installed features 187 188 Link Install Certiﬁcate 189 190 191 Basic Troubleshooting Ethernet Status Indicator Lights192 Action Ethernet 1, 2, 3 193 194 Wireless DSL Sync 195 196 Special patterns 197 LAN 1, 2, 3 198 DSL Sync 199 200 Front View 201 LED Function Summary Matrix Link 202EN Link Unlit Active 203 Factory Reset Switch 2240N 3397GP2247NWG 3347W/3357W 205 Advanced Troubleshooting 206 Home Status of Connection 207 208 Expert ModeButton Troubleshoot 209 Link System Status 210 Link Ports Ethernet 211 Link Ports DSL 212 Link IP Interfaces 213 Link DSL Circuit Conﬁguration 214 Link System Log Entire 215 Link Diagnostics 216 Link Network Tools 217 If Ping is not successful, possible causes are 218 219 220 221 Command Line Interface 222 Overview Keywords Command Verbs Status and/or Description223 224 Starting and Ending a CLI SessionLogging Ending a CLI Session Shell Command Shortcuts Using the CLI Help FacilityAbout Shell Commands Saving Settings Common Commands Shell Commands 227 DiagnoseDownload serveraddress ﬁlename conﬁrm Download -cert serveraddress ﬁlename conﬁrm 228 Install serveraddress ﬁlename conﬁrmLicense key Loglevel level 229 NetstatNetstat -r Reset dhcp server Reset arpReset atm Reset crash Reset wan-users all ip-address Reset ipmapReset log Reset security-log Show dhcp agent Show featuresShow conﬁg Show crash Show ip ﬁrewall Show ip igmpShow ip interfaces Show ip ipsec Show memory all Show wireless allShow wireless clients MACaddress Show log 235 Upload serveraddress ﬁlename conﬁrmView conﬁg Who WAN Commands Navigating the Config Hierarchy About Config CommandsConfig Mode Prompt 238 Netopia-3000/9437188 top quit 239 Entering Commands in Config ModeSet ip ethernet a ipaddress Set ip ethernet a 240 Guidelines Config CommandsDisplaying Current Gateway Settings Step Mode a CLI Conﬁguration Technique 241 Validating Your Conﬁguration DSL Commands Config Commands Set atm vcc n vci 0 Set atm vcc n qos sustained-cell-rate 1 ...nSet atm vcc n qos max-burst-size 1 ...n Set atm vcc n vpi 0 Set bridge concurrent-bridging-routing on off Bridging SettingsSet atm vccn pppoe-sessions 1 Set bridge sys-bridge on off Set bridge dsl vccn option on off Set bridge table-timeout 30Dhcp Settings Set bridge ethernet option on off Set dhcp server-address ipaddress Set dhcp start-address ipaddressSet dhcp end-address ipaddress Set dhcp lease-time lease-time Set dmt autoConﬁg off on DMT SettingsSet dmt wiringMode auto tipring AA1 Set dmt metallic-termination auto disabled alwayson Set dns primary-address ipaddress Domain Name System SettingsSet dns proxy-enable Set dns domain-name domain-name Set igmp query-intvl value Igmp SettingsSet igmp snooping off on Set igmp robustness value Set ip dsl vccn address ipaddress IP SettingsSet ip arp-timeout 60 Set ip option on off Set ip dsl vccn rip-send off v1 v2 v1-compat v2-MD5 Set ip dsl vccn restriction admin-disabled noneSet ip dsl vccn netmask netmask Set ip dsl vccn addr-mapping on off Set ip ethernet a broadcast broadcastaddress Set ip dsl vccn rip-receive Off v1 v2 v1-compat v2-MD5Set ip ethernet a option on off Set ip ethernet a address ipaddress 253 Set ip ethernet a restrictions none admin-disabledSet ip ethernet a netmask netmask Set ip ethernet a rip-send Off v1 v2 v1-compat v2-MD5 Set ip ip-ppp vccn option on off Set ip ethernet a rip-receive off v1 v2 v1-compat v2-MD5Set ip gateway option on off Set ip gateway interface ip-address ppp-vccn Set ip ip-ppp vccn addr-mapping on off Set ip ip-ppp vccn restriction admin-disabled noneSet ip ip-ppp vccn address ipaddress Set ip ip-ppp vccn peer-address ipaddress 256 Set ip ip-ppp vccn rip-send off v1 v2 v1-compat v2-MD5Set ip ip-ppp vccn rip-receive off v1 v2 v1-compat v2-MD5 257 Set ip static-arp ip-addressipaddressSet ip igmp-forwarding off on Set ip ipsec-passthrough off on 258 Set ip prioritize off onSet diffserv option off on Set diffserv lohi-ratio 60 100 percent 259 260 Set ip sip-passthrough on offSet ip static-routes destination-networknetaddress 261 Delete ip static-routes destination-network netaddress Network Address Translation NAT Default Settings IPMaps Settings Set pinhole name name protocol-select tcp udp Set nat-default host-hardware-address MACaddressNetwork Address Translation NAT Pinhole Settings Set pinhole name name PPPoE /PPPoA Settings Set ppp module vccn lcp-echo-requests on off Set ppp module vccn mru integerSet ppp module vccn magic-number on off Set ppp module vccn protocol-compression on off Set ppp module vccn connection-type instant-on always-on Set ppp module vccn restart-timer integerSet ppp module vccn conﬁgure-max integer Set ppp module vccn terminate-max integer Command Line Interface Preference Settings Set ppp module vccn port-authentication username usernameSet ppp module vccn port-authentication password password Ethernet Port Settings 268 Set preference more lines 269 Port Renumbering SettingsSet servers web-http 1 Set servers telnet-tcp 1 270 Security SettingsSet security ipsec option off on off Set security ipsec tunnels name 271 Set security ipsec tunnels name 123 tun-enable on on off 272 Set security ipsec tunnels name 123 IKE-mode DH-group 1 1 2 Set security ipsec tunnels name 123 xauth username username Set security ipsec tunnels name 123 xauth enable off onSet security ipsec tunnels name 123 xauth password password Set security ipsec tunnels name 123 nat-enable on off 274 Set security ipsec tunnels name 123 local-id idvalueSet security ipsec tunnels name 123 remote-id idvalue 275 276 Set security state-insp tcp-timeout 30 277 Set security state-insp udp-timeout 30Set security state-insp xposed-addr exposed-address# n 278 Packet Filtering Settings 279 280 281 Snmp Settings 283 System SettingsSet snmp notify type v1-trap v2-trap inform Set system name name Set system persistent-log off on Set system idle-timeout telnet 1...120 http 1Set system username administrator name user name Set system log-size 10240 285 Set system password admin userSleep Contact-email string@domainname location string 286 287 Set system zerotouch option on offSet system zerotouch redirect-url redirection-URL Syslog Set security state-insp eth B option on 289 Wireless Settings supported models 291 Set wireless mode both-b-and-g b-only g-onlySet wireless multi-ssid option on off 292 293 Set wireless no-bridging off onSet wireless tx-power full medium fair low minimal 294 Set wireless network-id privacy pre-shared-key stringSet wireless network-id privacy default-keyid Example 256bit key 295Example 40bit key 02468ACE02 Set radius alt-radius-name servernamestring Set wireless mac-auth option on offSet radius radius-name servernamestring Set radius radius-secret sharedsecret 297 Set radius radius-port portnumberSet vlan name string To make the Vlan vlan1 routable add the port lan-uplink 298 299 Set upnp option on offSet dslf-lanmgmt option off on 300 301 302 Vdsl Settings 303 Vdsl Parameter Defaults Vdsl Parameters Accepted Values 304 Parameter 305 Etsi M2 CAB 306 307 308 309 310 311 Glossary 312 313 314 315 Ethernet crossover cable. See crossover cable 316 317 318 319 320 321 322 323 324 325 326 327 Description Software and protocols 328 International Agency approvals329 North America 330 Manufacturer’s Declaration of Conformance Declaration for Canadian users 331 332 Important Safety InstructionsAustralian Safety Information Telecommunication installation cautions 333 CFR Part 68 Information 334 Electrical Safety Advisory 335 Overview of Major Capabilities 336 Wide Area Network TerminationPPPoE/PPPoA Point-to-Point Protocol over Ethernet/ATM Instant-On PPP 337 Simpliﬁed Local Area Network SetupDhcp Dynamic Host Conﬁguration Protocol Server DNS Proxy 338 DiagnosticsManagement Embedded Web Server Network Address Translation NAT Remote Access ControlPassword Protection 339 340 Netopia Gateway Pinholes Netopia Advanced Features for NAT341 Internal Servers Combination NAT Bypass Conﬁguration Default Server342 VPN IPSec Pass Through 343IP-Passthrough SSL Certiﬁcate Support 344VPN IPSec Tunnel Termination Stateful Inspection Firewall 345 Index 346 347 NAT 255, 262 348 NTP 349 350