Manuals / Brands / Computer Equipment / Network Router / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications 2602HW Series 33.4.2 Generic Filter Rule, Mask, Value, Offset, Length

1 519

Download 519 pages, 11.9 Mb

Prestige 2602HW Series User’s Guide

Figure 192 Executing an IP Filter

Packet into IP Filter

Filter Active?

No

Yes

Apply SrcAddrMask

to Src Addr

Check Src
Check Src		Not Matched
IP Addr		Not Matched
IP Addr

Matched

Apply DestAddrMask

to Dest Addr

Check Dest	Not Matched
IP Addr	Not Matched
IP Addr
Matched
Check	Not Matched
IP Protocol	Not Matched
IP Protocol
Matched
Check Src &	Not Matched
Dest Port	Not Matched
Dest Port
Matched
More?	Yes
No		Action Not Matched
Action Matched	Check Next Rule
	Check Next Rule	Drop	Forward
Drop	Forward
Drop Packet	Check Next Rule		Accept Packet

33.4.2 Generic Filter Rule

This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.

For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The Prestige applies the Mask (bit-wise ANDing) to the data portion before comparing the result against the Value to determine a match. The Mask and Value fields are specified in hexadecimal numbers. Note that it takes two hexadecimal digits to represent a byte, so if the length is 4, the value in either field will take 8 digits, for example, FFFFFFFF.

338	Chapter 33 Filter Configuration

Contents

User’s Guide Page Disclaimer Trademarks Notice Certifications Page Note Page Page Page Wizard Setup Password Setup Wireless LAN Setup Introduction to VoIP Page Firewall Configuration Content Filtering Introduction to IPSec Remote Management Configuration Universal Plug-and-Play(UPnP) Maintenance Introducing the SMT Page Static Route Setup Bridging Setup Enabling the Firewall SNMP Configuration System Security System Information and Diagnosis Firmware and Configuration File Maintenance Remote Management Call Scheduling VPN/IPSec Setup SA Monitor Troubleshooting Appendix A Hardware Specifications Appendix B Appendix C IP Subnetting Appendix E Wireless LAN and IEEE 802.11 Appendix F Wireless LAN With IEEE 802.1x Appendix G Appendix K Firewall Commands Appendix L Boot Commands Appendix M Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page About This User's Guide Related Documentation User Guide Feedback Syntax Conventions Graphics Icons Key Introduction to ADSL 1.1Introducing the Prestige 1.2 Prestige 2602HW-Lwith Lifeline 1.3 Features of the Prestige PSTN Lifeline REN Dynamic Jitter Buffer Multiple SIP Accounts Multiple Voice Channels Voice Coding Voice Activity Detection/Silence Suppression Comfort Noise Generation High Speed Internet Access Zero Configuration Internet Access Any IP Firewall IPSec VPN Capability IEEE 802.11g Wireless LAN External Antenna Wireless LAN MAC Address Filtering WEP Encryption Wi-FiProtected Access Traffic Redirect Universal Plug and Play (UPnP) PPPoE Support (RFC2516) Network Address Translation (NAT) 10/100M Auto-negotiatingEthernet/Fast Ethernet Interface(s) ADSL Standards Protocol Support IP Alias IP Policy Routing (IPPR) Networking Compatibility Multiplexing Encapsulation Network Management 1.4 Applications for the Prestige Internet Single User Account 1.4.2 Making Calls via Internet Telephony Service Provider 1.4.3 Firewall for Secure Broadband Internet Access 1.4.4 LAN to LAN Application 1.5 Prestige Hardware Installation and Connection 2.1 Web Configurator Overview 2.1.2.1 Using The Reset Button Logout Page Page Page 3.1 Wizard Setup Introduction 3.1.1.1 ENET ENCAP 3.1.1.2 PPP over Ethernet 3.1.1.3PPPoA 3.1.1.4 RFC 3.1.2.1 VC-basedMultiplexing 3.1.2.2 LLC-basedMultiplexing 3.2 IP Address and Subnet Mask 3.2.1.1 IP Assignment with PPPoA or PPPoE Encapsulation 3.2.1.2 IP Assignment with RFC 1483 Encapsulation 3.2.1.3 IP Assignment with ENET ENCAP Encapsulation 3.2.1.4 Private IP Addresses Page Page Page 3.2.5.1 SIP Number 3.2.5.2 SIP Service Domain Page 3.2.7.1 IP Pool Setup Change LAN Configuration 3.2.9 Internet Access Wizard Setup: Connection Test Start Diagnose Return to Main Menu Site Map 3.2.9.1 Test Your Internet Connection 4.1 Password Overview Page 5.1 LAN Overview 5.1.1LANs, WANs and the Prestige 5.2 DNS Server Address 5.3 DNS Server Address Assignment 5.4 LAN TCP/IP 5.5 Any IP 5.5.1 How Any IP Works 5.6 Configuring LAN 5.7 Configuring Static DHCP Page 6.1 Wireless LAN Introduction 6.1.4 RTS/CTS RTS/CTS RTS/CTS Fragmentation Threshold 6.2 Levels of Security 6.3 Data Encryption with WEP 6.4 Configuring Wireless LAN Page 6.5 Configuring MAC Filter Page 6.6 Network Authentication 6.6.1.1 RADIUS 6.6.1.2 Types of RADIUS Messages 6.6.2 EAP Authentication Overview 6.7Introduction to WPA 6.8 WPA-PSKApplication Example 6.9 WPA with RADIUS Application Example 6.10 Security Parameters Summary 6.11 Wireless Client WPA Supplicants 6.12 Configuring 802.1x and WPA 6.12.1 Authentication Required: Page 6.12.2 Authentication Required: WPA WPA 6.12.3 Authentication Required: WPA-PSK WPA-PSK Page 6.13 Configuring Local User Authentication 6.14 Configuring RADIUS Table 22 RADIUS Page 7.1 WAN Overview 7.2 Metric 7.3 PPPoE Encapsulation 7.4 Traffic Shaping 7.5 Zero Configuration Internet Access 7.6Configuring WAN Setup Page Page 7.7 Traffic Redirect 7.8 Configuring WAN Backup Figure 39 WAN Backup Page Page 8.1 NAT Overview 8.1.2 What NAT Does 8.1.3 How NAT Works 8.1.4 NAT Application 8.1.5 NAT Mapping Types 8.2 SUA (Single User Account) Versus NAT 8.3SUA Server 8.4 Selecting the NAT Mode 8.5 Configuring SUA Server Page 8.6 Configuring Address Mapping 8.7 Editing an Address Mapping Rule Page Page 9.1 Introduction to VoIP 9.2 SIP 9.2.1.1 SIP Number 9.2.1.2 SIP Service Domain 9.2.3.1 SIP User Agent Server 9.2.3.2 SIP Proxy Server 9.2.3.3 SIP Redirect Server 9.2.3.4 SIP Register Server 9.3 SIP ALG 9.4 Pulse Code Modulation 9.5 Voice Coding 9.6 PSTN Call Setup Signaling 10.1 Voice Screens Introduction 10.2 SIP Settings Configuration 10.3 Advanced Voice Settings Configuration Page 10.4 Quality of Service (QoS) 10.4.2.1 DSCP and Per-HopBehavior 10.5 QoS Configuration 10.6 Phone 10.7 Phone Configuration 10.8 Speed Dial 10.9 Speed Dial Configuration 10.10 Lifeline (Prestige 2602HW-L) 10.11 Lifeline Configuration (Prestige 2602HW-L) 10.12 Common Phone Port Configuration Page 11.1 Dynamic DNS 11.2 Configuring Dynamic DNS Page 12.1 Pre-definedNTP Time Servers List 12.2 Configuring Time and Date Page Page Page 13.1 Firewall Overview 13.2 Types of Firewalls 13.3 Introduction to ZyXEL’s Firewall 13.4 Denial of Service 13.4.2 Types of DoS Attacks Ping of Death Teardrop SYN Flood LAND SYN Attack LAND Attack brute-force 13.4.2.1 ICMP Vulnerability 13.4.2.2 Illegal Commands (NetBIOS and SMTP) 13.4.2.3 Traceroute 13.5 Stateful Inspection 13.5.1 Stateful Inspection Process Default Policy 13.5.2Stateful Inspection and the Prestige 13.5.3 TCP Security 13.6Guidelines for Enhancing Security with Your Firewall 13.6.1Security In General 13.7Packet Filtering Vs Firewall 13.7.1.1When To Use Filtering 13.7.2.1When To Use The Firewall Page Page 14.1 Access Methods 14.2 Firewall Policies Overview 14.3 Rule Logic Overview 14.3.3.1 Action 14.3.3.2 Service 14.3.3.3 Source Address 14.3.3.4 Destination Address 14.4 Connection Direction Example 14.4.1 LAN to WAN Rules 14.4.2 WAN to LAN Rules 14.5 Configuring Basic Firewall Settings 14.6 Rule Summary Page 14.6.1 Configuring Firewall Rules Insert Page Page 14.7 Customized Services 14.8 Creating/Editing A Customized Service 14.9 Example Firewall Rule Any Destination Address Delete Customized Services Add Remove Available Services Selected Services Rule Summary Apply 14.10 Predefined Services Page 14.11 Anti-Probing 14.12 DOS Thresholds 14.12.2.1 TCP Maximum Incomplete and Blocking Time TCP Maximum Incomplete Blocking Time Threshold Page 15.1 Content Filtering Overview 15.2 Configuring Keyword Blocking 15.3 Configuring the Schedule 15.4 Configuring Trusted Computers Page 16.1 VPN Overview 16.1.3.1 Encryption 16.1.3.2 Data Confidentiality 16.1.3.3 Data Integrity 16.1.3.4 Data Origin Authentication 16.2 IPSec Architecture 16.3 Encapsulation 16.4IPSec and NAT Page Page 17.1 VPN/IPSec Overview 17.2 IPSec Algorithms 17.3 My IP Address 17.4Secure Gateway Address 17.5 VPN Summary Screen Setup VPN Summary 17.6 Keep Alive 17.7 Remote DNS Server 17.8 NAT Traversal 17.9 ID Type and Content 17.9.1 ID Type and Content Examples 17.10 Pre-SharedKey 17.11 Editing VPN Policies Figure 89 VPN IKE Table 65 VPN IKE Page Page 17.12 IKE Phases Page 17.13 Configuring Advanced IKE Settings Page Page 17.14 Manual Key Setup 17.15 Configuring Manual Key Page Page 17.16 Viewing SA Monitor Page 17.17 Configuring Global Setting 17.18 Telecommuter VPN/IPSec Examples 17.18.2 Telecommuters Using Unique VPN Rules Example Page 17.19 VPN and Remote Management 18.1 Remote Management Overview 18.2 Telnet 18.3 FTP 18.4 Web 18.5 Configuring Remote Management Page 19.1 Introducing Universal Plug and Play 19.2 UPnP and ZyXEL 19.3 Installing UPnP in Windows Example Communications Universal Plug and Play Add/Remove Programs Properties Installing UPnP in Windows XP 1Click Start and Control Panel 2Double-click Network Connections Network Connections Optional Networking Components … Page 19.4Using UPnP in Windows XP Example Page Page Page Web Configurator Easy Access 1Click Start and then Control Panel 3Select My Network Places under Other Places Local Network Invoke Page Page 20.1 Logs Overview 20.2 Configuring Log Settings Page Page 20.3 Displaying the Logs 20.4 SMTP Error Messages 20.4.1 Example E-mailLog Page 21.1 Maintenance Overview 21.2 System Status Screen Page Page 21.2.1 System Statistics Show Statistics Poll Interval(s) 21.3 DHCP Table Screen 21.4 Any IP Table Screen 21.5 Wireless Screen 21.6 Diagnostic Screens Page 21.7 Firmware Screen Page Page 22.1 Introduction to the SMT 22.2 Accessing the SMT via the Console Port 22.2.2 Entering the Password 22.2.3 Procedure for SMT Configuration via Telnet Run 22.3 Navigating the SMT Interface 22.3.1 System Management Terminal Interface Summary 22.3.2 SMT Menus Overview 22.4 Changing the System Password Menu 23 - System Security Old Password New Password Retype to confirm Page 23.1 General Setup 23.2 Procedure To Configure Menu 23.2.1 Procedure to Configure Dynamic DNS Edit Dynamic DNS Menu 1.1— Configure Dynamic DNS Page Page 24.1 Introduction to WAN Backup Setup 24.2 Configuring WAN Backup in Menu 24.2.1 Traffic Redirect Setup Menu 2.1 — Traffic Redirect Setup Page Page 25.1 LAN Setup 25.3TCP/IP Ethernet Setup and DHCP Page Page 26.1 Wireless LAN Overview 26.2 Wireless LAN Setup 26.2.1 Wireless LAN MAC Address Filter Page Page 27.1 Internet Access Overview 27.2 IP Policies 27.3IP Alias 27.4 IP Alias Setup 27.5 Route IP Setup 27.6 Internet Access Configuration Page Page 28.1 Remote Node Setup Overview 28.2.1Remote Node Profile 28.2.2.1 Scenario 1: One VC, Multiple Protocols 28.2.2.2 Scenario 2: One VC, One Protocol (IP) 28.2.2.3 Scenario 3: Multiple VCs Menu 11.1 – Remote Node Profile 28.2.3 Outgoing Authentication Protocol 28.3 Remote Node Network Layer Options 28.3.1 My WAN Addr Sample IP Addresses My WAN Addr Rem IP Addr 28.4 Remote Node Filter 28.5 Editing ATM Layer Options 28.5.2 LLC-basedMultiplexing or PPP Encapsulation 28.5.3 Advance Setup Options PPPoE Edit Advance Options Menu 11.8 – Advance Setup Options 29.1 IP Static Route Overview 29.2 Configuration Menu 12.1 — IP Static Route Setup Menu 12.1.1 – Edit IP Static Route Setup Page Page 30.1 Bridging in General 30.2.1Remote Node Bridging Setup Edit IP/Bridge Yes and press [ENTER] to edit Menu 11.3 – Remote Node Network Layer Options 30.2.2 Bridge Static Route Setup Edit Bridge Static Route Page 31.1 Using NAT 31.2Applying NAT Menu 11.3 - Remote Node Network Layer Options 31.3 NAT Setup 31.3.1Address Mapping Sets 31.3.1.1SUA Address Mapping Set 31.3.1.2 User-DefinedAddress Mapping Sets 31.3.1.3 Ordering Your Rules 31.4 Configuring a Server behind NAT Menu 15.2 NAT Server Setup Start Port No End Port No 31.5 General NAT Examples Network Address Translation Many-to-One 31.5.2 Example 2: Internet Access with an Inside Server 31.5.3 Example 3: Multiple Public IP Addresses With Inside Servers 1 : Many : Menu 15.1 - Address Mapping Sets Full Feature Network Address Translation Edit Action Start IP 2Enter 2 in Menu 15 - NAT Setup 31.5.4 Example 4: NAT Unfriendly Application Programs No Overload One-to-One Page Page 32.1 Remote Management and the Firewall 32.2Access Methods Page 33.1 About Filtering Execute 33.1.1 The Filter Structure of the Prestige 33.2 Configuring a Filter Set for the Prestige 33.3 Filter Rules Summary Menus 33.4 Configuring a Filter Rule 33.4.1 TCP/IP Filter Rule Menu 21.1.x.1 – TCP/IP Filter Rule Page 33.4.2 Generic Filter Rule Offset Length Mask Value Generic Filter Rule Menu 21.1.5.1 – Generic Filter Rule Generic Filter Rule 33.5 Filter Types and NAT 33.6 Example Filter 1Enter 1 in the menu 21 to display Menu 21.1 — Filter Set Configuration Menu 21.1.6 — Filter Rules Summary 33.7 Applying Filters and Factory Defaults 33.7.1 Ethernet Traffic protocol filters Input Filter Sets 33.7.2 Remote Node Filters Call Filter Sets Page 34.1 About SNMP 34.2Supported MIBs 34.3 SNMP Configuration 34.4 SNMP Traps Page 35.1 System Security Page 35.1.3 IEEE802.1x Menu23 – System Security 2Enter 4 to display Menu 23.4 – System Security – IEEE802.1x Page 35.2 Creating User Accounts on the Prestige Page 36.1 Overview 36.2 System Status Menu 24.1 — System Maintenance — Status 36.3 System Information 36.3.2 Console Port Speed Menu 24.2.2 – System Maintenance – Console Port Speed 36.4 Log and Trace 36.4.2 Syslog and Accounting Menu 24.3.2 — System Maintenance — UNIX Syslog Page 36.5 Diagnostic Page Page 37.1 Filename Conventions 37.2 Backup Configuration 37.2.2 Using the FTP Command from the Command Line 37.2.3Example of FTP Commands from the Command Line 37.2.4 GUI-basedFTP Clients 37.2.5 TFTP and FTP over WAN Management Limitations 37.2.6 Backup Configuration Using TFTP 37.2.7 TFTP Command Example 37.2.8 GUI-basedTFTP Clients 37.2.9 Backup Via Console Port Transfer Receive File 37.3Restore Configuration 37.3.2Restore Using FTP Session Example 37.3.3 Restore Via Console Port Send File Send 37.4 Uploading Firmware and Configuration Files 37.4.3 FTP File Upload Command from the DOS Prompt Example 37.4.4 FTP Session Example of Firmware File Upload 37.4.5 TFTP File Upload 37.4.6 TFTP Upload Command Example 37.4.7 Uploading Via Console Port 37.4.8Uploading Firmware File Via Console Port 37.4.9 Example Xmodem Firmware Upload Using HyperTerminal 37.4.10Uploading Configuration File Via Console Port 37.4.11Example Xmodem Configuration Upload Using HyperTerminal Page 38.1 Command Interpreter Mode 38.2 Call Control Support 38.3 Time and Date Setting 38.3.1Resetting the Time Page Page 39.1 Remote Management Overview 39.2 Remote Management 39.2.2 Remote Management Limitations 39.3 Remote Management and NAT 39.4System Timeout Page 40.1 IP Policy Routing Overview 40.2 Benefits of IP Policy Routing 40.3 Routing Policy 40.4 IP Routing Policy Setup Menu 25.1.1 – IP Routing Policy Page 40.5 Applying an IP Policy 40.6 IP Policy Routing Example Menu 25.1.1 — IP Routing Policy Menu 25.1 — IP Routing Policy Setup Page 41.1 Introduction Menu 26.1 — Schedule Set Setup Duration Main Menu PPPoA Page 42.1 VPN/IPSec Overview 42.2 IPSec Summary Screen Page 42.3 IPSec Setup Page Page Page 42.4 IKE Setup Page 42.5 Manual Setup Page Page 43.1 SA Monitor Overview 43.2 Using SA Monitor Page Page Page 44.1 Problems Starting Up the Prestige 44.2 Problems with the LAN LED 44.3 Problems with the DSL LED 44.4 Problems with the LAN Interface 44.5 Problems with the WAN Interface 44.6 Problems with Internet Access 44.7 Problems with the Password 44.8 Problems with the Web Configurator 44.9 Problems with Remote Management 44.10 Telephone Problems Page Ethernet Cable Pin Assignments Prestige 2602HW-LDSL Port Pin Assignments Page Prestige 2602HW Series Power Adaptor Specifications Page Windows 95/98/Me Installing Components Adapter Protocol Microsoft manufacturers Configuring Obtain an IP address automatically Specify an IP address Subnet Mask Disable DNS Windows 2000/NT/XP Network and Dial-up Connections 3Right-click Local Area Connection and then click Properties Internet Protocol (TCP/IP) Use the following IP Address Subnet mask Default gateway IP Settin IP Settings Use the following DNS server addresses Preferred DNS server Alternate DNS server 8Click OK to close the Internet Protocol (TCP/IP) Properties window 9Click OK to close the Local Area Connection Properties window Macintosh OS 8/9 Macintosh OS Automatic Location •Select Built-inEthernet from the Show list Using DHCP Apply Now IP Addressing IP Classes Subnet Masks Subnetting Example: Two Subnets Page Example: Four Subnets Example Eight Subnets Subnetting With Class A and Class B Networks Page PPPoE in Action Benefits of PPPoE Traditional Dial-upScenario How PPPoE Works Prestige as a PPPoE Client Benefits of a Wireless LAN IEEE Ad-hocWireless LAN Configuration Infrastructure Wireless LAN Configuration Page Page Security Flaws with IEEE Deployment Issues with IEEE Advantages of the IEEE RADIUS Server Authentication Sequence EAP-MD5 (Message-DigestAlgorithm 5) EAP-TLS(Transport Layer Security) EAP-TTLS(Tunneled Transport Layer Service) LEAP The Ideal Setup The “Triangle Route” Problem The “Triangle Route” Solutions IP Aliasing Gateways on the WAN Side Page Internal SPTGEN Overview The Configuration Text File Format Internal SPTGEN FTP Download Example Internal SPTGEN FTP Upload Example Example Internal SPTGEN Screens Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Command Examples Page Page Command Syntax Command Usage Page Sys Firewall Commands Page Firmware and Configuration File Maintenance Page Page Page Table 182 ICMP Logs Table 183 CDR Logs Table 184 PPP Logs Table 185 UPnP Logs Page Page Table 192 SIP Logs Table 193 RTP Logs Log Commands Displaying Logs Log Command Example Numerics