Possible modiﬁcations

Security 10-33

Output ﬁlter 1: This ﬁlter forwards all outgoing trafﬁc to make sure that no outgoing connections from the LAN are blocked.

Basic Firewall is suitable for a LAN containing only client hosts that want to access servers on the WAN, but not for a LAN containing servers providing services to clients on the WAN. Basic Firewall’s general strategy is to explicitly forward WAN-originated TCP and UDP trafﬁc to ports greater than 1023. Ports lower than 1024 are the service origination ports for various Internet services such as FTP, Telnet, and the World Wide Web (WWW).

A more complicated ﬁlter set would be required to provide WAN access to a LAN-based server. See the next section, “Possible modiﬁcations,” for ways to allow remote hosts to use services provided by servers on the LAN.

You can modify the sample ﬁlter set Basic Firewall to allow incoming trafﬁc using the examples below. These modiﬁcations are not intended to be combined. Each modiﬁcation is to be the only one used with Basic Firewall.

The results of combining ﬁlter set modiﬁcations can be difﬁcult to predict. It is recommended that you take special care if you are making more than one modiﬁcation to the sample ﬁlter set.

Trusted host. To allow unlimited access by a trusted remote host with the IP address a.b.c.d (corresponding to a numbered IP address such as 163.176.8.243), insert the following input ﬁlter ahead of the current input ﬁlter 1:

■Enabled: Yes

■Forward: Yes

■Source IP Address: a.b.c.d

■Source IP Address Mask: 255.255.255.255

■Dest. IP Address: 0.0.0.0

■Dest. IP Address Mask: 0.0.0.0

■Protocol Type: 0

Trusted subnet. To allow unlimited access by a trusted remote subnet with subnet address a.b.c.d (corresponding to a numbered IP address such as 163.176.8.0) and subnet mask e.f.g.h (corresponding to a numbered IP mask such as 255.255.255.0), insert the following input ﬁlter ahead of the current input ﬁlter 1: