Manuals / Brands / Computer Equipment / Network Card / ZyXEL Communications / Computer Equipment / Network Card

ZyXEL Communications 2602H Series Execute, 34.1.1 The Filter Structure of the Prestige

1 550

Download 550 pages, 12.65 Mb

Prestige 2602H/HW Series User’s Guide

Figure 201 Filter Rule Process

Filter Set

Start

Packet intoFilter

Fetch First Filter Set

Fetch Next

Fetch First

Filter Set

Filter Rule

Fetch Next

Filter Rule

Yes

Yes

Next Filter Set

Next filter

No

Rule

No

Active?

Available?

Available?

Yes

		Execute
		Filter Rule
No		Filter Rule
No

Check

Next

Rule

Forward

Drop

Drop Packet

Accept Packet

You can apply up to four filter sets to a particular port to block various types of packets. Because each filter set can have up to six rules, you can have a maximum of 24 rules active for a single port.

For incoming packets, your Prestige applies data filters only. Packets are processed depending on whether a match is found. The following sections describe how to configure filter sets.

34.1.1 The Filter Structure of the Prestige

A filter set consists of one or more filter rules. Usually, you would group related rules, for example, all the rules for NetBIOS, into a single set and give it a descriptive name. You can configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.

356	Chapter 34 Filter Configuration

Contents

Page Page Disclaimer Trademarks Notice Certifications Page Page Note Page Page Page Copyright Federal Communications Commission (FCC) Interference Statement Safety Warnings Table of Contents List of Figures Wizard Setup Page Introduction to VoIP Phone Usage Firewall Configuration Content Filtering Introduction to IPSec Page Remote Management Configuration Universal Plug-and-Play(UPnP) Maintenance Introducing the SMT Menu 1 General Setup Menu 2 WAN Backup Setup Menu 3 LAN Setup Wireless LAN Setup Internet Access Remote Node Configuration Static Route Setup Bridging Setup Enabling the Firewall SNMP Configuration System Security System Information and Diagnosis Firmware and Configuration File Maintenance Remote Management Call Scheduling VPN/IPSec Setup SA Monitor Troubleshooting Appendix A Appendix C IP Subnetting Appendix D Appendix E Wireless LANs Appendix F Triangle Route Appendix G Internal SPTGEN Appendix H Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page About This User's Guide Related Documentation User Guide Feedback Syntax Conventions Graphics Icons Key Introduction to ADSL 1.1Introducing the Prestige Built-inSwitch High Speed Internet Access PSTN Lifeline (“L” Models Only) Zero Configuration Internet Access Any IP Auto-provisioning Auto Firmware Upgrade Firewall Content Filtering REN Dynamic Jitter Buffer Multiple SIP Accounts Multiple Voice Channels SIP ALG Traffic Redirect Universal Plug and Play (UPnP) PPPoE Support (RFC2516) Dynamic DNS Support IP Policy Routing (IPPR) Other PPPoE Features Packet Filters Ease of Installation Housing 1.2 Applications for the Prestige 1.2.1.1 Internet Single User Account 1.2.4 Firewall for Secure Broadband Internet Access 1.2.5 LAN to LAN Application 1.2.6 Front Panel LEDs Page Page 2.1 Web Configurator Overview 2.1.2.1 Using The Reset Button 2.1.3 Navigating the Prestige Web Configurator Site Map Logout Page Page Page 3.1 Wizard Setup Introduction 3.1.2 Wizard Setup: Second Screen Page Page Page 3.1.3 Wizard Setup: Third Screen Page 3.1.4 Internet Access Wizard Setup: Fourth Screen Change LAN Configurations Save Settings Change LAN Configuration 3.1.5 Wizard Setup: Connection Test Start Diagnose Return to Main Menu Site Map 3.1.5.1 Test Your Internet Connection 3.2 Media Bandwidth Management Wizard 3.2.1 Predefined Media Bandwidth Management Services 3.2.2 Media Bandwidth Management Setup: First Screen Media Bandwidth Magnt 3.2.3 Media Bandwidth Mgnt. Wizard Setup: Second Screen 3.2.4 Media Bandwidth Mgnt. Wizard Setup: Finish Return to Main Menu 3.3 Password Setup Page 4.1 LAN Overview 4.1.1LANs, WANs and the Prestige 4.1.2.1 IP Pool Setup 4.2 DNS Server Address 4.3 DNS Server Address Assignment 4.4LAN TCP/IP 4.5 LAN TCP/IP 4.5.1.1 Private IP Addresses 4.6 Any IP 4.6.1 How Any IP Works 4.7 Configuring LAN Table 17 LAN Setup 4.8 Configuring Static DHCP Page 5.1 Introduction 5.2 Wireless Security Overview 5.2.3Restricted Access MAC Filter Allow Association Deny Association 5.2.4 Hide Prestige Identity 5.3 Configuring the Wireless Screen Page 5.4 Configuring MAC Filters Page 5.5 Introduction to WPA 5.5.2 WPA with RADIUS Application Example 5.6 Configuring IEEE 802.1x and WPA 5.6.1 Authentication Required: Page 5.6.2 Authentication Required: WPA WPA Page 5.6.3 Authentication Required: WPA-PSK WPA-PSK 5.7 Configuring Local User Authentication 5.8 Configuring RADIUS Page Page 6.1 WAN Overview 6.1.1.1 ENET ENCAP 6.1.1.2 PPP over Ethernet 6.1.1.3PPPoA 6.1.1.4 RFC 6.1.2.1 VC-basedMultiplexing 6.1.2.2 LLC-basedMultiplexing 6.1.4.1 IP Assignment with PPPoA or PPPoE Encapsulation 6.1.4.2 IP Assignment with RFC 1483 Encapsulation 6.2 Metric 6.3 PPPoE Encapsulation 6.4 Traffic Shaping 6.5 Zero Configuration Internet Access 6.6Configuring WAN Setup Page Page 6.7 Traffic Redirect 6.8 Configuring WAN Backup Figure 44 WAN Backup Page Page 7.1 NAT Overview 7.1.2 What NAT Does 7.1.3 How NAT Works 7.1.4 NAT Application 7.1.5 NAT Mapping Types 7.2 SUA (Single User Account) Versus NAT 7.3SUA Server 7.4 Selecting the NAT Mode 7.5 Configuring SUA Server Page 7.6 Configuring Address Mapping 7.7 Editing an Address Mapping Rule Page Page 8.1 Introduction to VoIP 8.2 SIP 8.2.1.1 SIP Number 8.2.1.2 SIP Service Domain 8.2.3.1 SIP User Agent 8.2.3.2 SIP Proxy Server 8.2.3.3 SIP Redirect Server 8.2.3.4 SIP Register Server 8.3 SIP ALG 8.4 Pulse Code Modulation 8.5 Voice Coding 8.6 PSTN Call Setup Signaling 8.7 MWI (Message Waiting Indication) 9.1 Voice Screens Introduction 9.2 SIP Settings Configuration 9.3 Advanced Voice Settings Configuration Page Page 9.4 Quality of Service (QoS) 9.4.2.1 DSCP and Per-HopBehavior 9.5 QoS Configuration 9.6 Phone 9.7 Phone Configuration Figure 59 Phone Table 40 Phone 9.8 Speed Dial 9.9 Speed Dial Configuration Figure 60 Speed Dial 9.10 Lifeline (Prestige 2602HL/HWL) 9.11 Lifeline Configuration (Prestige 2602HL/HWL) 9.12 Supplementary Phone Services Overview 9.12.2Europe Type Supplementary Phone Services 9.12.2.1 European Call Hold 9.12.2.2 European Call Waiting 9.12.2.3European Call Transfer 9.12.2.4European Three-WayConference 9.12.3USA Type Supplementary Services 9.12.3.1 USA Call Hold 9.12.3.2 USA Call Waiting 9.12.3.3 USA Call Transfer 9.12.3.4USA Three-WayConference 9.13Common Phone Port Configuration 9.14 Call Forward Configuration Page Page Page 10.1 Dialing a Telephone Number 10.2 Using Speed Dial to Dial a Telephone Number 10.3 Internal Calls 10.4 Checking the Prestige’s IP Address 10.5 Auto Firmware Upgrade 11.1 Dynamic DNS 11.2 Configuring Dynamic DNS Page 12.1 Pre-definedNTP Time Servers List 12.2 Configuring Time and Date Page Page Page 13.1 Firewall Overview 13.2 Types of Firewalls 13.3 Introduction to ZyXEL’s Firewall 13.4 Denial of Service 13.4.2 Types of DoS Attacks Ping of Death Teardrop SYN Flood LAND SYN Attack LAND Attack brute-force 13.4.2.1 ICMP Vulnerability 13.4.2.2 Illegal Commands (NetBIOS and SMTP) 13.4.2.3 Traceroute 13.5 Stateful Inspection 13.5.1 Stateful Inspection Process Default Policy 13.5.2Stateful Inspection and the Prestige 13.5.3 TCP Security 13.6Guidelines for Enhancing Security with Your Firewall 13.6.1Security In General 13.7Packet Filtering Vs Firewall 13.7.1.1When To Use Filtering 13.7.2.1When To Use The Firewall Page Page 14.1 Access Methods 14.2 Firewall Policies Overview 14.3 Rule Logic Overview 14.3.3.1 Action 14.3.3.2 Service 14.3.3.3 Source Address 14.3.3.4 Destination Address 14.4 Connection Direction Example 14.4.1 LAN to WAN Rules 14.4.2 WAN to LAN Rules 14.5 Configuring Basic Firewall Settings 14.6 Rule Summary Page 14.6.1 Configuring Firewall Rules Insert Page Page 14.7 Customized Services 14.8 Creating/Editing A Customized Service 14.9 Example Firewall Rule Any Destination Address Delete Add Remove Available Services Selected Services Rule Summary 14.10 Predefined Services Page 14.11 Anti-Probing 14.12 DoS Thresholds 14.12.2.1 TCP Maximum Incomplete and Blocking Time TCP Maximum Incomplete Threshold Page 15.1 Content Filtering Overview 15.2 Configuring Keyword Blocking 15.3 Configuring the Schedule 15.4 Configuring Trusted Computers Page 16.1 VPN Overview 16.1.3.1 Encryption 16.1.3.2 Data Confidentiality 16.1.3.3 Data Integrity 16.1.3.4 Data Origin Authentication 16.2 IPSec Architecture 16.3 Encapsulation 16.4IPSec and NAT Page Page 17.1 VPN/IPSec Overview 17.2 IPSec Algorithms 17.3 My IP Address 17.4Secure Gateway Address 17.5 VPN Summary Screen Setup VPN Summary 17.6 Keep Alive 17.7 Remote DNS Server 17.8 NAT Traversal 17.9 ID Type and Content 17.9.1 ID Type and Content Examples 17.10 Pre-SharedKey 17.11 Editing VPN Policies Figure 95 VPN IKE Table 72 VPN IKE Page Page 17.12 IKE Phases Page 17.13 Configuring Advanced IKE Settings Page Page 17.14 Manual Key Setup 17.15 Configuring Manual Key Page Page 17.16 Viewing SA Monitor Page 17.17 Configuring Global Setting 17.18 Telecommuter VPN/IPSec Examples 17.18.2 Telecommuters Using Unique VPN Rules Example Page 17.19 VPN and Remote Management 18.1 Remote Management Overview 18.2 Telnet 18.3 FTP 18.4 Web 18.5 Configuring Remote Management Page 19.1 Introducing Universal Plug and Play 19.2 UPnP and ZyXEL 19.3 Installing UPnP in Windows Example Communications Universal Plug and Play Add/Remove Programs Properties Installing UPnP in Windows XP 1Click Start and Control Panel 2Double-click Network Connections Network Connections Optional Networking Components … Page 19.4Using UPnP in Windows XP Example Page Page Page Web Configurator Easy Access 1Click Start and then Control Panel 3Select My Network Places under Other Places Local Network Invoke Page Page 20.1 Logs Overview 20.2 Configuring Log Settings Page Page 20.3 Displaying the Logs 20.4 SMTP Error Messages 20.4.1 Example E-mailLog Page 21.1 Bandwidth Management Advanced Setup Overview 21.2 Bandwidth Classes and Filters 21.3 Proportional Bandwidth Allocation 21.4 Bandwidth Management Usage Examples 21.4.3Application and Subnet-basedBandwidth Management Example 21.5 Scheduler 21.6 Maximize Bandwidth Usage 21.6.2 Maximize Bandwidth Usage Example 21.7 Bandwidth Borrowing 21.8Configuring Summary Page 21.9 Configuring Class Setup 21.9.1 Media Bandwidth Management Class Configuration Media Bandwidth Management - Summary Child-Class Page 21.9.2 Media Bandwidth Management Statistics 21.10 Bandwidth Monitor Page 22.1 Maintenance Overview 22.2 System Status Screen Page Page 22.2.1 System Statistics Show Statistics Poll Interval(s) 22.3 DHCP Table Screen 22.4 Any IP Table Screen 22.5 Wireless Screen 22.6 Diagnostic Screens Page 22.7 Firmware Screen Page Page 23.1 Introduction to the SMT 23.2 Navigating the SMT Interface 23.2.1 System Management Terminal Interface Summary 23.2.2 SMT Menus Overview 23.3 Changing the System Password New Password Retype to confirm 24.1 General Setup 24.2 Procedure To Configure Menu 24.2.1 Procedure to Configure Dynamic DNS Edit Dynamic DNS Menu 1.1— Configure Dynamic DNS Page Page 25.1 Introduction to WAN Backup Setup 25.2 Configuring WAN Backup in Menu 25.2.1 Traffic Redirect Setup Menu 2.1 — Traffic Redirect Setup Page Page 26.1 LAN Setup 26.3TCP/IP Ethernet Setup and DHCP Page Page 27.1 Wireless LAN Overview 27.2 Wireless LAN Setup 27.2.1 Wireless LAN MAC Address Filter Page Page 28.1 Internet Access Overview 28.2 IP Policies 28.3IP Alias 28.4 IP Alias Setup 28.5 Route IP Setup 28.6 Internet Access Configuration Page Page 29.1 Remote Node Setup Overview 29.2.1Remote Node Profile 29.2.2.1 Scenario 1: One VC, Multiple Protocols 29.2.2.2 Scenario 2: One VC, One Protocol (IP) 29.2.2.3 Scenario 3: Multiple VCs Menu 11.1 – Remote Node Profile 29.2.3 Outgoing Authentication Protocol 29.3 Remote Node Network Layer Options 29.3.1 My WAN Addr Sample IP Addresses My WAN Addr Rem IP Addr 29.4 Remote Node Filter 29.5 Editing ATM Layer Options 29.5.2 LLC-basedMultiplexing or PPP Encapsulation 29.5.3 Advance Setup Options PPPoE Edit Advance Options Menu 11.8 – Advance Setup Options 30.1 IP Static Route Overview 30.2 Configuration Menu 12.1.1 – Edit IP Static Route Setup Page Page 31.1 Bridging in General 31.2.1Remote Node Bridging Setup Edit IP/Bridge Yes and press [ENTER] to edit Menu 11.3 – Remote Node Network Layer Options 31.2.2 Bridge Static Route Setup Edit Bridge Static Route Page 32.1 Using NAT 32.2Applying NAT Menu 11.3 - Remote Node Network Layer Options 32.3 NAT Setup 32.3.1Address Mapping Sets 32.3.1.1SUA Address Mapping Set 32.3.1.2 User-DefinedAddress Mapping Sets 32.3.1.3 Ordering Your Rules Action Menu 15.1.1.1 - Address Mapping Rule Local Global Start/End IPs 32.4 Configuring a Server Behind NAT 32.5 General NAT Examples 32.5.1 Example 1: Internet Access Only Network Address Translation Many-to-One 32.5.2 Example 2: Internet Access with an Inside Server 32.5.3 Example 3: Multiple Public IP Addresses With Inside Servers 1 : Many : Menu 15.1 - Address Mapping Sets Full Feature Network Address Translation Edit Action Start IP Page 2Enter 2 in Menu 15 - NAT Setup 32.5.4 Example 4: NAT Unfriendly Application Programs No Overload One-to-One Page Page 33.1 Remote Management and the Firewall 33.2Access Methods Page 34.1 About Filtering Execute 34.1.1 The Filter Structure of the Prestige 34.2 Configuring a Filter Set for the Prestige 34.3 Filter Rules Summary Menus 34.4 Configuring a Filter Rule 34.4.1 TCP/IP Filter Rule Menu 21.1.x.x – TCP/IP Filter Rule Page 34.4.2 Generic Filter Rule Offset Length Mask Value Generic Filter Rule Menu 21.1.5.1 – Generic Filter Rule Generic Filter Rule 34.5 Filter Types and NAT 34.6 Example Filter 1Enter 1 in the menu 21 to display Menu 21.1 — Filter Set Configuration Menu 21.1.6 — Filter Rules Summary 34.7 Applying Filters and Factory Defaults 34.7.1 Ethernet Traffic protocol filters Input Filter Sets 34.7.2 Remote Node Filters Call Filter Sets Page 35.1 About SNMP 35.2Supported MIBs 35.3 SNMP Configuration 35.4 SNMP Traps Page 36.1 System Security Page 36.1.3 IEEE802.1x Menu23 – System Security 2Enter 4 to display Menu 23.4 – System Security – IEEE802.1x Page 36.2 Creating User Accounts on the Prestige Page 37.1 Overview 37.2 System Status Menu 24.1 — System Maintenance — Status 37.3 System Information 37.3.2 Console Port Speed Menu 24.2.2 – System Maintenance – Console Port Speed 37.4 Log and Trace 37.4.2 Syslog and Accounting Menu 24.3.2 — System Maintenance — UNIX Syslog Page 37.5 Diagnostic Page Page 38.1 Filename Conventions 38.2 Backup Configuration 38.2.2 Using the FTP Command from the Command Line 38.2.3Example of FTP Commands from the Command Line 38.2.4 GUI-basedFTP Clients 38.2.5 TFTP and FTP over WAN Management Limitations 38.2.6 Backup Configuration Using TFTP 38.2.7 TFTP Command Example 38.2.8 GUI-basedTFTP Clients 38.3 Restore Configuration 38.3.2Restore Using FTP Session Example 38.4 Uploading Firmware and Configuration Files 38.4.3 FTP File Upload Command from the DOS Prompt Example 38.4.4 FTP Session Example of Firmware File Upload 38.4.5 TFTP File Upload 38.4.6 TFTP Upload Command Example Page 39.1 Command Interpreter Mode 39.2 Call Control Support 39.3 Time and Date Setting 39.3.1Resetting the Time Page Page 40.1 Remote Management Overview 40.2 Remote Management 40.2.2 Remote Management Limitations 40.3 Remote Management and NAT 40.4System Timeout Page 41.1 IP Policy Routing Overview 41.2 Benefits of IP Policy Routing 41.3 Routing Policy 41.4 IP Routing Policy Setup Menu 25.1.1 – IP Routing Policy Page 41.5 Applying an IP Policy 41.6 IP Policy Routing Example Menu 25.1.1 — IP Routing Policy Menu 25.1 — IP Routing Policy Setup Page 42.1 Introduction Menu 26.1 — Schedule Set Setup Duration Main Menu PPPoA Page 43.1 VPN/IPSec Overview 43.2 IPSec Summary Screen Page 43.3 IPSec Setup Page Page Page 43.4 IKE Setup Page 43.5 Manual Setup Page Page 44.1 SA Monitor Overview 44.2 Using SA Monitor Page Page Page 45.1 Problems Starting Up the Prestige 45.2 Problems with the LAN 45.3 Problems with the WAN 45.4 Problems Accessing the Prestige 45.4.1.1 Internet Explorer Pop-upBlockers 2Select Settings…to open the Pop-upBlocker Settings screen Allowed sites 45.4.1.2JavaScripts Custom Level Scripting Active scripting Scripting of Java applets 45.4.1.3 Java Permissions 2make sure that Use Java 2 for <applet> under Java (Sun) is selected 45.5 Telephone Problems Page Specification Tables Page Page Ethernet Cable Pin Assignments Prestige 2602HL/HWL DSL Port Pin Assignments Prestige 2602H/HW Series Power Adaptor Specifications Page Windows 95/98/Me Installing Components Adapter Protocol Microsoft manufacturers Configuring Obtain an IP address automatically Specify an IP address Subnet Mask Disable DNS Windows 2000/NT/XP Network and Dial-up Connections 3Right-click Local Area Connection and then click Properties Internet Protocol (TCP/IP) Use the following IP Address Subnet mask Default gateway IP Settin IP Settings Use the following DNS server addresses Preferred DNS server Alternate DNS server 8Click OK to close the Internet Protocol (TCP/IP) Properties window 9Click OK to close the Local Area Connection Properties window Macintosh OS 8/9 Macintosh OS Automatic Location •Select Built-inEthernet from the Show list Using DHCP Apply Now IP Addressing IP Classes Subnet Masks Subnetting Example: Two Subnets Page Example: Four Subnets Example Eight Subnets Subnetting With Class A and Class B Networks Page PPPoE in Action Benefits of PPPoE Traditional Dial-upScenario How PPPoE Works Prestige as a PPPoE Client Wireless LAN Topologies ESS Channel RTS/CTS Fragmentation Threshold Preamble Type IEEE 802.11g Wireless LAN IEEE RADIUS Types of Authentication EAP-TLS(Transport Layer Security) EAP-TTLS(Tunneled Transport Layer Service) PEAP (Protected EAP) LEAP Dynamic WEP Key Exchange WPA Security Parameters Summary The Ideal Setup The “Triangle Route” Problem The “Triangle Route” Solutions IP Aliasing Gateways on the WAN Side Page Internal SPTGEN Overview The Configuration Text File Format Internal SPTGEN FTP Download Example Internal SPTGEN FTP Upload Example Example Internal SPTGEN Screens Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Command Examples Page Page Command Syntax Command Usage Page Sys Firewall Commands Page Firmware and Configuration File Maintenance Page Page Page Table 195 ICMP Logs Table 196 CDR Logs Table 197 PPP Logs Table 198 UPnP Logs Page Page Table 205 SIP Logs Table 206 RTP Logs Log Commands Displaying Logs Log Command Example Numerics