Firewall design rules, Example TCP/UDP Ports | Netopia R5300, R5200

13-32 User’s Reference Guide

Example TCP/UDP Ports

TCP Port	Service

20/21	FTP

23	Telnet

25	SMTP

80	WWW

144	News

UDP Port	Service

161	SNMP

69TFTP

387AURP

Firewall design rules

There are two basic rules to ﬁrewall design:

■“What is not explicitly allowed is denied.”

and

■“What is not explicitly denied is allowed.”

The ﬁrst rule is far more secure and is the best approach to ﬁrewall design. It is far easier (and more secure) to allow in or out only certain services and deny anything else. If the other rule is used, you would have to ﬁgure out everything that you want to disallow, now and in the future.

Firewall Logic

Firewall design is a test of logic, and ﬁlter rule ordering is critical. If a packet is forwarded through a series of ﬁlter rules and then the packet matches a rule, the appropriate action is taken. The packet will not forward through the remainder of the ﬁlter rules.

For example, if you had the following ﬁlter set...

Allow WWW access;

Allow FTP access;

Allow SMTP access;

Deny all other packets.

Image 210

Netopia R5300, R5200, R5100 manual Firewall design rules, Example TCP/UDP Ports, Firewall Logic

Contents

Netopia R5000 Series Routers Part Number Contents Setting up your Router with the SmartStart Wizard Part II Advanced Configuration Vi User’s Reference Guide Aurp Viii User’s Reference Guide Part III Appendixes User’s Reference Guide Index Index-1 Limited Warranty and Limitation of Remedies Xii User’s Reference Guide Part I Getting Started User’s Reference Guide Features and capabilities Chapter IntroductionOverview How to use this guide Chapter Setting Up Internet Services Finding an Internet service providerType of Service Data Rate Speed Datalink Protocol Unique requirements Pricing and supportEndorsements Deciding on an ISP account With Network Address Translation Obtaining information from the ISPLocal LAN IP address information to obtain Without Network Address Translation User’s Reference Guide Chapter Making the Physical Connections Find a location What you need R5200 DDS and R5300 T1 Connect the routerR5100 Serial Serial Line port Identify the connectors Attach the cables Netopia R5000 Series Router status lights Netopia R5000 Series Router LED front panel User’s Reference Guide Chapter Connecting to Your Local Area Network Readying computers on your local network User’s Reference Guide Connecting to an Ethernet network Crossover Switch Auxiliary port Port Ethernet hub10Base-T Adding an external modem Connecting to a LocalTalk network User’s Reference Guide Chapter Setting up your Router with the SmartStart Wizard Installed and properly conﬁgured. See Before running SmartStart Setting up your Router with the SmartStart Wizard SmartStart Wizard configuration screens Setup options screen. You can choose either Easy or Easy option Advanced option Conﬁguration screen on Dynamic configuration recommended Conﬁguration tab Static configuration optional Add. Repeat this process for the secondary DNS Configuring TCP/IP on Macintosh computers TCP/IP TCP/IP or MacTCP Dynamic configuration using MacIP optional Close the TCP/IP control panel and save the settings Setting up your Router with the SmartStart Wizard User’s Reference Guide Chapter Console-Based Management Connecting through a Telnet session Filter sets ﬁrewalls. See Security onSnmp Simple Network Management Protocol. See Snmp on Configuring Telnet software Connecting a console cable to your router Navigating through the console screens Mac ANSI, VT-100, or VT-200 Accessing the Easy Setup console screens Chapter Easy SetupEasy Setup console screens Screen differences See Appendix A, Troubleshooting, for more suggestions Screen similar to the following Main Menu appears Serial Line Easy Setup configuration screen Serial Line Easy Setup screen appears T1 Line configuration screen T1 Line Conﬁguration screen appears DDS Line configuration screen DDS Line Conﬁguration screen appears Easy Setup Profile screen Easy Setup Proﬁle screen appears IP Easy Setup Easy Setup Security Configuration Easy Setup User’s Reference Guide Part II Advanced Configuration User’s Reference Guide Chapter WAN and System Configuration WAN configurationConfiguration Line configuration for a Serial line Line configuration for a DDS line Line configuration for a T1 line WAN and System Conﬁguration Configuring Frame Relay Easy Setup Frame Relay screensMain Menu Easy Setup Line Configuration WAN Configuration Frame Relay screens Setup Line Configuration Frame Relay configuration WAN and System Conﬁguration Frame Relay Dlci configuration Displaying a Frame Relay Dlci configuration table Changing a Frame Relay Dlci configuration WAN and System Conﬁguration Adding a Frame Relay Dlci configuration Dlci Deleting a Frame Relay Dlci configuration ADD Profile NOW Cancel Creating a new Connection Proﬁle IPX Profile Parameters Remote IPX Network Datalink Frame Relay Options Auto-Detect DLCIs PAP Dial IP Address IPX Network-+ Default profile Configuration Default Profile IP parameters default profile screen IPX parameters default profile screen Scheduled connections switched async only Configuration Scheduled Connections Viewing scheduled connections Adding a scheduled connection Set Weekly Schedule Set Once-Only Schedule Modifying a scheduled connection Deleting a scheduled connection Connection accounting screens switched async only Budget Setup screen appears Budget Statistics in Hhhhmm System configuration screens Navigating through the system configuration screens System configuration features IP address serving Network protocols setupFilter sets firewalls Date and time Console configuration Security Upgrade feature setSnmp Simple Network Management Protocol Logging Installing the Syslog client User’s Reference Guide Chapter IP Setup and Network Address Translation Network Address Translation features HOW NAT Works Using Network Address Translation Previous Screen V2 multicast Numbered Unnumbered Associating port numbers with nodes Sdsl WAN1 Advanced IP/IPX router configuration options Connection Profiles ATM Funi IPX Profile Parameters Remote IPX Network Network Address Translation guidelines IP setup IP Setup and Network Address Translation Select Add Export. The Add Exported Service screen appears Select Service. a pop-up menu of services and ports appears IP subnets IP Setup and Network Address Translation Static routes Static Routes screen will appear Viewing static routes Adding a static route Rules of static route installation Modifying a static routeDeleting a static route Main System Menu Configuration IP Address Serving 176.163.222.10 Dhcp NetBios Options Serve Bootp Clients IP Address Pools User’s Reference Guide Dhcp NetBIOS Options NetBios Type MacIP KIP forwarding setup Select Release BootP Leases and press Return You have ﬁnished your IP setup IPX definitions Chapter IPX SetupIPX features Internetwork Packet Exchange IPX Socket Service Advertising Protocol SAPIPX address Routing Information Protocol RIP NetBIOS IPX setup screenIPX spoofing Default Gateway Address IPX routing tables User’s Reference Guide Chapter AppleTalk Setup AppleTalk networksAppleTalk protocol AT Routing Table MacIP Routers and seeding Installing AppleTalk Upgrade NOW Configuring AppleTalk EtherTalk setup LocalTalk setup Aurp setup Viewing Aurp partnersAurp Free Trade Zone Adding an Aurp partner Modifying an Aurp partner Configuring Aurp Options Deleting an Aurp partnerReceiving Aurp connections Aurp Options Tickle Interval Hhmmss User’s Reference Guide Chapter Monitoring Tools Quick View status overview General status Current status Status lights Statistics & Logs General Statistics Physical InterfaceNetwork Interface Event histories WAN Event History Routing tables Device Event History IP routing table IPX routing table IPX Sap Bindery table AppleTalk routing table Served IP Addresses IP Address Lease Management screen appears System Information Snmp Snmp Setup screen Community strings Snmp traps Modifying IP trap receivers Setting the IP trap receiversViewing IP trap receivers Deleting IP trap receivers T1 Diagnostics T1 Line Statistics and Diagnostics screenSelect T1 Line Statistics / Diagnostics and press Return T1 Line Statistics / Diagnostics screen appears Monitoring Tools Web-based monitoring Accounting for switched interfaces only Frame Relay Statistics Connection Status Connect/Disconnect Router Budget Configuration Connection Budgets Connection Budget Configuration Budget Statistics Event History pages Device Event History Chapter Security Suggested security measuresUser accounts Protecting the configuration screens Protecting the Security Options screen Dial-in console access About filters and filter sets Enable SmartStart/SmartView/Web serverTelnet access What’s a filter and what’s a filter set? How filter sets work Filter priority User’s Reference Guide Filtering rule How individual filters workFilter’s actions Parts of a filter 161 Aurp AppleTalk 387 Who 513Port number comparisons Internet Control Message Protocol Other filter attributesPutting the parts together Transmission Control Protocol Filtering example #1 Design guidelines Filtering example #2Disadvantages of filters An approach to using filters Working with IP filters and filter sets Adding a filter set Naming a new filter set Input and output filters-source and destination Netopia Router ADD this Filter NOW Cancel User’s Reference Guide Moving filters Viewing filtersModifying filters Viewing filter sets Deleting filters Sample IP filter set Modifying filter sets TCP Icmp UDP Possible modifications User’s Reference Guide Main Menu System Configuration Filter Sets Firewalls IPX filters IPX packet filters Viewing and modifying packet filtersAdding a packet filter Viewing and modifying packet filter sets IPX packet filter setsDeleting a packet filter Adding a packet filter set No Match IPX SAP filters Deleting a packet filter setViewing and modifying SAP filters Adding a SAP filter Deleting a SAP filter IPX SAP filter sets Viewing and modifying SAP filter setsAdding a SAP filter set Deleting a SAP filter set Basic protocol types Firewall tutorial General firewall termsBasic IP packet components ACK Bit Yes Firewall design rules Example TCP/UDP PortsFirewall Logic Binary representation Logical and function Implied rules Established connectionsExample IP filter set screen Filter basics Example network Example filters Example Example Example Chapter Utilities and Diagnostics Ping Utilities and Diagnostics Time Stop Ping Trace Route Telnet client Factory defaults Disconnect Telnet console session Transferring configuration and firmware files with Tftp Updating firmware Downloading configuration files Uploading configuration files Transferring configuration and firmware files with Xmodem Idle Do you want to send a saved configuration to your Netopia? Restarting the system User’s Reference Guide Part III Appendixes User’s Reference Guide Appendix a Troubleshooting Configuration problems Console connection problems Network problems How to reset the router to factory defaults Power outages Before contacting Netopia How to reach usTechnical support Environment profile Product information can be found in the following Netopia Bulletin Board Service 1Online product information FAX-Back User’s Reference Guide What is IP? Appendix B Understanding IP AddressingAbout IP addressing Subnets and subnet masks Example Using subnets on a Class C IP internet Subnet masks Network configuration Customer Site a ISP Network Example Working with a Class C subnet Distributing IP addressesBackground Technical note on subnet masking 255.255.255.192 ConfigurationNetopia R5000 Series Router Dhcp server characteristics 255.255.255.0 Using address serving Manually distributing IP addressesMacIP serving Tips and rules for distributing IP addresses Serve dynamic WAN clients Dhcp example Nested IP subnets Internet 0.0 C.1 WAN 3719 Broadcasts Packet header types User’s Reference Guide Network configuration Appendix C Understanding Netopia NAT BehaviorBackground User’s Reference Guide Understanding Netopia NAT Behavior C-3 Netopia Router WWW Server ISP Router LAN Exported services Understanding Netopia NAT Behavior C-5 Important notes Understanding Netopia NAT Behavior C-7 Summary Appendix D Binary Conversion Table Decimal Binary Appendix E Further Reading User’s Reference Guide Further Reading E-3 No August User’s Reference Guide HD-15 DB-25 Pin Ground Not used Appendix F Technical Specifications and Safety InformationPinouts for Auxiliary port modem cable Pin Not used DCE Ready Pin Not used Tset EIA-530 HD-15 DB-25 PinPin Rset EIA-530 Pin Not used Environment Power requirementsDescription Software and protocols North America R5100, R5200, R5300 Agency approvalsRegulatory notices FCC Class B Technical Speciﬁcations and Safety Information F-5 Important safety instructions Australian Safety Information R5100Declaration for Canadian users Telecommunication installation cautions Battery User’s Reference Guide Glossary User’s Reference Guide Glossary User’s Reference Guide Glossary Remapping See network number remapping Glossary User’s Reference Guide Index Numerics Display Deﬁned Index-3 Account types LocalTalk conﬁguration Index-4 Index-5 Index-6 Limited Warranty and Limitation of Remedies User’s Reference Guide