Manuals / Netopia / Computer Equipment / Network Router

Netopia 2200 manual 157, ﬁltering rule, Parts of a ﬁlter

Models: 2200

1 351

Download 351 pages 59.91 Kb

Page 157

Firewall Tutorial

A ﬁltering rule

The criteria are based on information contained in the packets. A ﬁlter is simply a rule that prescribes certain actions based on certain conditions. For example, the following rule qualiﬁes as a ﬁlter:

“Block all Telnet attempts that originate from the remote host 199.211.211.17.”

This rule applies to Telnet packets that come from a host with the IP address 199.211.211.17. If a match occurs, the packet is blocked.

Here is what this rule looks like when implemented as a ﬁlter in Netopia Firmware Version 7.6:

To understand this particular ﬁl- ter, look at the parts of a ﬁlter.

Parts of a ﬁlter

A ﬁlter consists of criteria based on packet attributes. A typical ﬁl- ter can match a packet on any one of the following attributes:

•The source IP address and subnet mask (where the packet was sent from)

•The destination IP address and subnet mask (where the packet is going)

•The TOS bit setting of the packet. Certain types of IP packets, such as voice or mul- timedia packets, are sensi-

tive to delays introduced by the network. A delay-sensitive packet is identiﬁed by a special low-latency setting called the TOS bit. It is important for such packets to be received rapidly or the quality of service degrades.

•The type of higher-layer Internet protocol the packet is carrying, such as TCP or UDP

157

Image 157

Netopia 2200 manual 157, ﬁltering rule, Parts of a ﬁlter

Contents

Netopia Software User Guide Copyright Table of Contents Expert Mode Security 146 Basic Troubleshooting Command Line Interface 221 Table of Contents Glossary Overview of Major Capabilities Index What’s New IntroductionIntended Audience About Netopia DocumentationDocumentation Conventions Command Line InterfaceGeneral Internal Web InterfaceBold terminal type User-entered text face Word About Example Screens OrganizationPage Basic Mode Setup Power Supply Installation Important Safety InstructionsAchtung Wichtige SicherheitshinweiseBewahren Sie diese Anweisungen auf Microsoft Windows Setting up the Netopia GatewayThen go to Step Macintosh MacOS 8 or higher or Mac OS Proceed to Conﬁguring the Netopia Gateway on Conﬁguring the Netopia Gateway Click the Connect to the Internet button MiAVo Vdsl and Ethernet WAN models QuickstartPPPoE Quickstart Configuring the Netopia Gateway Netopia Gateway Status Indicator Lights Home Page Basic Mode DNS Link Manage My Account Link Status Details Link Enable Remote Management Link Expert Mode Link Update Firmware Link Factory Reset Open the Web Connection Accessing the Expert Web InterfacePage Home Page Expert Mode Summary Information Home Page InformationField Status and/or Description Dhcp Navigating the Web Interface ToolbarLink Breadcrumb Trail Button Restart RestartLink Alert Symbol Button Help HelpButton Conﬁgure ConﬁgureLink Quickstart Click Connect to the Internet Link LAN Configure Page Wireless supported models Privacy Configure Page Advanced Page About Closed System Mode Page WPA Version Allowed ExamplesMultiple SSIDs Wireless MAC Authorization Page Configure Use Radius Server Advanced Network Conﬁguration page appears IP Gateway WAN IP InterfacesOther WAN Options Available Multiplexing types Available Encapsulation typesSustained Cell Rate SCR Transmit Priority Comments ClassLink Advanced IP Static Route Entry page appears Link IP Static RoutesPage Link Pinholes Link IP Static ARPTCP Tips for making Pinhole Entries Gateway Pinhole Conﬁguration Procedure. Use the following steps Page Configure Link IPMaps Ple static Netopia Gateway WAN Interface LAN Interface IPMaps Block Diagram192.168.1.1 192.168.1.2Link Default Server NAT LAN STN #2 Internet GatewayConfigure Page Link Differentiated Services Page QoS Setting TOS Bit Value Behavior Link Dhcp Server Link DNSConfigure Link Radius Server Link Snmp Page Link Igmp Internet Group Management Protocol Page Configure 100 Link UPnP101 Link LAN Management102 Link Advanced Ethernet Bridge103 Conﬁguring for Bridge Mode104 Enable Concurrent Bridging/Routing checkbox105 106 Link Vlan107 108 Enable Multiple Wireless IDs onVlan Port Conﬁguration screen appears 109 110 111 Link Syslog Parameters112 Log Event Messages Administration Related Log Messages113 System Log Messages114 Access-related Log MessagesDSL Log Messages most common Mented packet 115Link Software Hosting Link Internal Servers116 List of Supported Games and Software 117FTP 118119 Rename a UserPC120 Link Clear Options121 Link Time ZoneButton Security Security122 123 Link Passwords124 Link Firewall Conﬁguring for a BreakWater Setting125 Use a Netopia Firewall126 Tips for making your BreakWater Basic Firewall Selection 127Basic Firewall Background 128 BreakWater Setting ClearSailing SilentRunning LANdLocked129 130 Link IPSec131 SafeHarbour IPSec VPNConﬁguring a SafeHarbour VPN 132133 IPSec Tunnel Details Parameter Setup WorksheetParameter Descriptions on page 136 as required 134Make the Tunnel Details entries 135Parameter Descriptions 136Field Description PAT Address 137Soft MBytes 138139 Link Stateful Inspection Stateful Inspection Firewall installation procedure140 141 Exposed Addresses142 143 144 Stateful Inspection Options145 Open Ports in Default Stateful Inspection InstallationPort Protocol Description LAN Private WAN Public Interface General ﬁrewall terms Firewall TutorialBasic IP packet components 146147 Basic protocol typesFirewall design rules Example TCP/UDP Ports TCP Port Service148 Firewall LogicImplied rules 149Example ﬁlter set 150151 Filter basicsWhat it means Example network152 Example ﬁltersExample 153 154 Link Packet FilterHow ﬁlter sets work What’s a ﬁlter and what’s a ﬁlter set?155 156 How individual ﬁlters workFilter priority ﬁltering rule 157Parts of a ﬁlter Port numbers 158Port number comparisons Other ﬁlter attributes 159Putting the parts together Filtering example #1 160161 Filtering example #2 162Design guidelines An approach to using ﬁlters163 Adding a ﬁlter set Working with IP Filters and Filter Sets164 165 Adding ﬁlters to a ﬁlter setNetopia Router 166167 Enter the Source Mask for the source IP address 168Viewing ﬁlters 169170 Deleting a ﬁlter setModifying ﬁlters Deleting ﬁlters171 Associating a Filter Set with an Interface172 TOS ﬁeld matching Policy-based Routing using Filtersets173 174 175 Link Security Log Using the Security Monitoring Log176 177 Timestamp Background 178Button Install Install179 180 Link Install SoftwareNetopia ﬁrmware Image File Required Files181 182 Click the Install Software buttonVerify the Netopia Firmware Release 183Use Netopia Software Feature Keys Link Install KeysObtaining Software Feature Keys Procedure Install a New Feature Key File185 186 To check your installed features187 188 Link Install Certiﬁcate189 190 191 Basic Troubleshooting192 Status Indicator LightsAction EthernetEthernet 1, 2, 3 193194 WirelessDSL Sync 195196 Special patterns 197LAN 1, 2, 3 198DSL Sync 199200 Front View201 LED Function Summary MatrixEN Link Unlit 202Active Link203 Factory Reset Switch2247NWG 3397GP3347W/3357W 2240N205 Advanced Troubleshooting206 HomeStatus of Connection 207Button Troubleshoot Expert Mode208 209 Link System Status210 Link Ports Ethernet211 Link Ports DSL212 Link IP Interfaces213 Link DSL Circuit Conﬁguration214 Link System Log Entire215 Link Diagnostics216 Link Network Tools217 If Ping is not successful, possible causes are 218219 220 221 Command Line Interface222 Overview223 Command Verbs Status and/or DescriptionKeywords Logging Starting and Ending a CLI SessionEnding a CLI Session 224About Shell Commands Using the CLI Help FacilitySaving Settings Shell Command ShortcutsCommon Commands Shell CommandsDownload serveraddress ﬁlename conﬁrm DiagnoseDownload -cert serveraddress ﬁlename conﬁrm 227License key Install serveraddress ﬁlename conﬁrmLoglevel level 228Netstat -r Netstat229 Reset atm Reset arpReset crash Reset dhcp serverReset log Reset ipmapReset security-log Reset wan-users all ip-addressShow conﬁg Show featuresShow crash Show dhcp agentShow ip interfaces Show ip igmpShow ip ipsec Show ip ﬁrewallShow wireless clients MACaddress Show wireless allShow log Show memory allView conﬁg Upload serveraddress ﬁlename conﬁrmWho 235WAN Commands Config Mode Prompt About Config CommandsNavigating the Config Hierarchy 238 Netopia-3000/9437188 top quitSet ip ethernet a ipaddress Entering Commands in Config ModeSet ip ethernet a 239Displaying Current Gateway Settings Guidelines Config CommandsStep Mode a CLI Conﬁguration Technique 240241 Validating Your ConﬁgurationDSL Commands Config CommandsSet atm vcc n qos max-burst-size 1 ...n Set atm vcc n qos sustained-cell-rate 1 ...nSet atm vcc n vpi 0 Set atm vcc n vci 0Set atm vccn pppoe-sessions 1 Bridging SettingsSet bridge sys-bridge on off Set bridge concurrent-bridging-routing on offDhcp Settings Set bridge table-timeout 30Set bridge ethernet option on off Set bridge dsl vccn option on offSet dhcp end-address ipaddress Set dhcp start-address ipaddressSet dhcp lease-time lease-time Set dhcp server-address ipaddressSet dmt wiringMode auto tipring AA1 DMT SettingsSet dmt metallic-termination auto disabled alwayson Set dmt autoConﬁg off onSet dns proxy-enable Domain Name System SettingsSet dns domain-name domain-name Set dns primary-address ipaddressSet igmp snooping off on Igmp SettingsSet igmp robustness value Set igmp query-intvl valueSet ip arp-timeout 60 IP SettingsSet ip option on off Set ip dsl vccn address ipaddressSet ip dsl vccn netmask netmask Set ip dsl vccn restriction admin-disabled noneSet ip dsl vccn addr-mapping on off Set ip dsl vccn rip-send off v1 v2 v1-compat v2-MD5Set ip ethernet a option on off Set ip dsl vccn rip-receive Off v1 v2 v1-compat v2-MD5Set ip ethernet a address ipaddress Set ip ethernet a broadcast broadcastaddressSet ip ethernet a netmask netmask Set ip ethernet a restrictions none admin-disabledSet ip ethernet a rip-send Off v1 v2 v1-compat v2-MD5 253Set ip gateway option on off Set ip ethernet a rip-receive off v1 v2 v1-compat v2-MD5Set ip gateway interface ip-address ppp-vccn Set ip ip-ppp vccn option on offSet ip ip-ppp vccn address ipaddress Set ip ip-ppp vccn restriction admin-disabled noneSet ip ip-ppp vccn peer-address ipaddress Set ip ip-ppp vccn addr-mapping on offSet ip ip-ppp vccn rip-receive off v1 v2 v1-compat v2-MD5 Set ip ip-ppp vccn rip-send off v1 v2 v1-compat v2-MD5256 Set ip igmp-forwarding off on Set ip static-arp ip-addressipaddressSet ip ipsec-passthrough off on 257Set diffserv option off on Set ip prioritize off onSet diffserv lohi-ratio 60 100 percent 258259 Set ip static-routes destination-networknetaddress Set ip sip-passthrough on off260 261 Delete ip static-routes destination-network netaddressNetwork Address Translation NAT Default Settings IPMaps SettingsNetwork Address Translation NAT Pinhole Settings Set nat-default host-hardware-address MACaddressSet pinhole name name Set pinhole name name protocol-select tcp udpPPPoE /PPPoA Settings Set ppp module vccn magic-number on off Set ppp module vccn mru integerSet ppp module vccn protocol-compression on off Set ppp module vccn lcp-echo-requests on offSet ppp module vccn conﬁgure-max integer Set ppp module vccn restart-timer integerSet ppp module vccn terminate-max integer Set ppp module vccn connection-type instant-on always-onSet ppp module vccn port-authentication password password Set ppp module vccn port-authentication username usernameEthernet Port Settings Command Line Interface Preference Settings268 Set preference more linesSet servers web-http 1 Port Renumbering SettingsSet servers telnet-tcp 1 269Set security ipsec option off on off Security SettingsSet security ipsec tunnels name 270271 Set security ipsec tunnels name 123 tun-enable on on off272 Set security ipsec tunnels name 123 IKE-mode DH-group 1 1 2Set security ipsec tunnels name 123 xauth password password Set security ipsec tunnels name 123 xauth enable off onSet security ipsec tunnels name 123 nat-enable on off Set security ipsec tunnels name 123 xauth username usernameSet security ipsec tunnels name 123 remote-id idvalue Set security ipsec tunnels name 123 local-id idvalue274 275 276 Set security state-insp tcp-timeout 30Set security state-insp xposed-addr exposed-address# n Set security state-insp udp-timeout 30277 278 Packet Filtering Settings279 280 281 Snmp Settings Set snmp notify type v1-trap v2-trap inform System SettingsSet system name name 283Set system username administrator name user name Set system idle-timeout telnet 1...120 http 1Set system log-size 10240 Set system persistent-log off onSleep Contact-email string@domainname location string Set system password admin user285 286 Set system zerotouch redirect-url redirection-URL Set system zerotouch option on off287 Syslog Set security state-insp eth B option on 289Wireless Settings supported models Set wireless multi-ssid option on off Set wireless mode both-b-and-g b-only g-only291 292 Set wireless tx-power full medium fair low minimal Set wireless no-bridging off on293 Set wireless network-id privacy default-keyid Set wireless network-id privacy pre-shared-key string294 Example 40bit key 02468ACE02 295Example 256bit key Set radius radius-name servernamestring Set wireless mac-auth option on offSet radius radius-secret sharedsecret Set radius alt-radius-name servernamestringSet vlan name string Set radius radius-port portnumber297 To make the Vlan vlan1 routable add the port lan-uplink 298Set dslf-lanmgmt option off on Set upnp option on off299 300 301 302 Vdsl Settings303 Vdsl Parameter DefaultsVdsl Parameters Accepted Values 304Parameter 305Etsi M2 CAB 306307 308 309 310 311 Glossary312 313 314 315 Ethernet crossover cable. See crossover cable 316317 318 319 320 321 322 323 324 325 326 327 DescriptionSoftware and protocols 328329 Agency approvalsNorth America International330 Manufacturer’s Declaration of ConformanceDeclaration for Canadian users 331Australian Safety Information Important Safety InstructionsTelecommunication installation cautions 332333 CFR Part 68 Information334 Electrical Safety Advisory335 Overview of Major CapabilitiesPPPoE/PPPoA Point-to-Point Protocol over Ethernet/ATM Wide Area Network TerminationInstant-On PPP 336Dhcp Dynamic Host Conﬁguration Protocol Server Simpliﬁed Local Area Network SetupDNS Proxy 337Management DiagnosticsEmbedded Web Server 338Password Protection Remote Access Control339 Network Address Translation NAT340 Netopia Gateway341 Netopia Advanced Features for NATInternal Servers Pinholes342 Default ServerCombination NAT Bypass Conﬁguration IP-Passthrough 343VPN IPSec Pass Through VPN IPSec Tunnel Termination 344Stateful Inspection Firewall SSL Certiﬁcate Support345 Index346 347 NAT 255, 262348 NTP349 350