Firewall Settings Screen | ZyXEL Communications HS100/HS100W

HomeSafe User’s Guide

4.Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network.

5.For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces.

6.Protect against IP spoofing by making sure the firewall is active.

7.Keep the firewall in a secured (locked) room.

13.2 Firewall Settings Screen

From the MAIN MENU, click FIREWALL to open the Settings screen.

	Figure 13-1 Firewall: Settings
The following table describes the labels in this screen.
	Table 13-1 Firewall: Settings

LABEL	DESCRIPTION

Enable Firewall	Select this check box to activate the firewall. The HomeSafe performs access control
	and protects against Denial of Service (DoS) attacks when the firewall is activated.

Bypass Triangle	Select this check box to have the HomeSafe firewall ignore the use of triangle route
Route	topology on the network. See the appendix for more on triangle route topology.
LAN to WAN	To log packets related to firewall rules, make sure that Access Control under Log is
	selected in the Logs, Log Settings screen.

13-2

Firewall

Image 176

ZyXEL Communications HS100/HS100W manual Firewall Settings Screen

Contents

HS-100 / HS-100W Version 10/2005 Trademarks Copyright 2004 by ZyXEL Communications CorporationDisclaimer Certifications Information for Canadian Users ZyXEL Limited Warranty Online Registration Customer Support Table of Contents III 11-1 Viii 27.1 Page List of Figures Xiv List of Figures 10-1 Xvi List of Figures Xvii Xviii List of Figures List of Tables List of Tables 20-3 Xxii List of Tables ¾ ZyXEL Glossary and Web Site Related DocumentationUser’s Guide Feedback Dslam Syntax ConventionsGraphics Icons Key HomeSafe User’s Guide Preface Xxv Part Page HomeSafe Features Physical FeaturesNon-Physical Features Getting to Know Your HomeSafe Content Filtering Brute-Force Password Guessing Protection802.11b Wireless LAN Standard HS-100W only Firewall Packet Filtering Universal Plug and Play UPnPCall Scheduling PPPoE Dhcp Dynamic Host Configuration Protocol Upgrade HomeSafe Firmware via LANNetwork Address Translation NAT Traffic Redirect Secure Broadband Internet Access via Cable or DSL Modem Wireless Association List HS-100W onlyApplications for the HomeSafe HomeSafe Parental Control Gateway Wireless LAN Application Wireless LAN Application Example Accessing the HomeSafe Web Configurator Introducing the Web ConfiguratorWeb Configurator Overview System Administrator Password Setup Wlan SetupSet up your wireless LAN using the second wizard screen Following table describes the fields in this screen Essid Wlan Setup Basic SecurityAccess screen Wlan Setup Extended Security Following table describes the labels in this screenWEP Ascii Internet Configuration Setup Refer to the chapter on wireless LAN for more information Internet Configuration Setup ISP Parameters Internet Access Setup Internet Access Static IP Address Setup Dhcp Internet Configuration Setup Complete Parental Control Wizard Parental Control Time Setup Wizard Parental Control Wizard 10 Wizard Parental Control Time Setup Parental Control Create or Edit a Profile Parental Control Profile Information 11 Wizard Create or Edit a Profile Parental Control User Group 12 Wizard Parental Control Profile Information Administrator can decide each group’s Access rightsParental Control Time Allowance 13 Wizard Parental Control User Group Parental Control Application Blocking Allowance screen Parental Control Account Summary15 Wizard Parental Control Application Blocking Parental Control Register for Content Filter 16 Wizard Parental Control Summary Content Filtering with an External Server Checking Content Filtering Activation Following screen appears after you click Activate in Figure Content Filter Service ActivationIf you click Register Later you will proceed to Figure Accessing the Internet via the HomeSafe Gateway Content Filter Setup Complete 25 Password Screen Resetting the HomeSafe Procedure To Use The Reset ButtonHomeSafe Main Menu Navigation Panel 17 Screens Summary Link TAB Function Maintenance FirewallRemote Mgmt Telnet FTPPage Connection Wizard General Setup and System Name Chapter Connection WizardConnection Wizard Overview Domain Name Connection Wizard General Setup Connection Wizard Screen Connection Wizard Wireless LAN Setup Basic Security Connection Wizard Wireless LAN Setup Extend Security Ethernet PPPoE Encapsulation Connection Wizard Ethernet Encapsulation Connection Wizard PPPoE Encapsulation Pptp Encapsulation Connection Wizard Pptp Encapsulation WAN IP Address Assignment Private IP Address Ranges WAN MAC Address IP Address and Subnet MaskDNS Server Address Assignment Connection Wizard WAN Setup ISP Basic Setup Complete Connection Wizard Finish 10 Connection Wizard Problems HomeSafe User’s Guide Connection Wizard System, LAN, Wlan and WAN Configuring General Setup Chapter System ScreensSystem Overview Click System to open the General screen DynDNS Wildcard Configuring Dynamic DNSDynamic DNS System Ddns Configuring Password Configuring Time Setting System Time Setting Daylight Savings LAN Overview Dhcp SetupChapter LAN Screens Any IP Multicast How Any IP Works Any IP Example Application Configuring IP Click LAN to open the IP screen LAN TCP/IP Configuring Static Dhcp LAN Static Dhcp Configuring IP Alias LAN IP Alias LAN IP Alias Wireless Configuration and Roaming Wireless LAN OverviewIbss 2 BSS Basic Service set 3 ESS Wireless LAN Basics 1 RTS/CTS Configuring Wireless Fragmentation Threshold Configuring Roaming RTS/CTS Requirements for Roaming Roaming Example Allow roaming Wireless stations must have the same Essid toAll APs on the same subnet Page Chapter Wireless Security Wireless Security Overview WPA-PSK WPA Authentication Wireless Security Relational MatrixSecurity Parameters Summary WEP Overview WEP Authentication Steps Preamble Type Configuring WEP Encryption Encryption field Encryption User AuthenticationIntroduction to WPA WPA-PSK Application Example WPA-PSK application looks as follows Configuring WPA-PSK Authentication If wireless station authentication is doneUsing a Radius server, the reauthentication Timer on the Radius server has priority Wireless Client WPA Supplicants WPA with Radius Application Example Configuring WPA Authentication WPA with Radius Application Example Wlan Wireless WPA 802.1x Overview EAP-MD5 cannot be used with Dynamic WEP Key Exchange Configuring 802.1x and Dynamic WEP Key ExchangeDynamic WEP Key Exchange Configuring 802.1x and Static WEP Key Exchange 10 Wlan Wireless 802.1x and Static WEP Wlan Wireless 802.1x and Static WEP Wlan Wireless 802.1x and Static WEP Configuring Reset MAC Filter MAC Following table describes the labels in this menuWlan MAC Address Filter Configuring Local User Database Introduction to Local User Database10 Wlan Local User Database Active Select this option to activate the user profile Introduction to Radius Configuring Radius EAP Authentication Overview 15 Wlan Radius 11 Wlan Radius HomeSafe User’s Guide Page Configuring Route Chapter WAN ScreensWAN Overview TCP/IP Priority Metric Screen shown next is for Ethernet encapsulation Configuring WAN ISPEthernet Encapsulation PPPoE Encapsulation WAN ISP PPPoE Encapsulation WAN ISP Pptp Encapsulation Configuring WAN IP WAN IP Address Assignment WAN IP Selected Use Fixed IP AddressServer Choose Both, None, In Only or Out Only RIP-1 Configuring WAN MACChoose RIP-1 , RIP-2B or RIP-2M Traffic Redirect WAN Setup Traffic Redirect Configuring Traffic Redirect WAN Traffic Redirect WAN Traffic Redirect SUA/NAT and Static Route Page Chapter Network Address Translation NAT Screens NAT OverviewNAT Definitions What NAT Does How NAT Works NAT Application NAT Mapping Types Following table summarizes these types Using NAT SUA ServerSUA Single User Account Versus NAT NAT Mapping Types Port Forwarding Services and Port Numbers Default Server IP AddressServices and Port Numbers Services Port Number Configuring SUA Server Configuring Servers Behind SUA Example Configuring Address Mapping SUA/NAT Setup Address Mapping One-to-One and Server mapping types Many-to-One and Server mapping types Configuring Address MappingTrigger Port Forwarding Configuring Trigger Port Forwarding Trigger Port Forwarding ExampleTwo Points To Remember About Trigger Ports Following is an example of trigger port forwarding Only one LAN computer can use a trigger port range at a time Page Configuring IP Static Route Chapter Static Route ScreensStatic Route Overview Click Static Route to open the screen as shown next Configuring Route Entry Static Route Edit NAT Screens 10-3 UPnP, Parental Control and Firewall How Do I Know If Im Using UPnP? Chapter UPnPUniversal Plug and Play Overview UPnP and ZyXEL Click UPnP to display the screen shown next Configuring UPnPInstalling UPnP in Windows Example Installing UPnP in Windows Me Installing UPnP in Windows XPFollow the steps below to install UPnP in Windows Me Follow the steps below to install UPnP in Windows XP Using UPnP in Windows XP Example Auto-discover Your UPnP-enabled Network Device Internet Connection Properties Web Configurator Easy Access Connections Select My Network Places under Other Places UPnP 11-7 Page Parental Control Logins Initial ConfigurationChapter Parental Control Parental Control Overview Parental Administrator log Parental Control Application Configuring Parental Control HomeSafe Parental Control Wireless Gateway Application Parental Control For content filtering to be activated. See Checking Content filtering activationWeb site displays a registration successful Web page. It may take up to another ten minutes Parental Control Group Edit Filter Content Filtering with an External ServerReset Click Reset to start configuring this screen again Parental Control Group Edit Configuration Parental Control Filter Parental Control 12-9 12-10 Parental Control Parental Control 12-11 How to set how much of the URL See the Customizing KeywordBlocking URL Checking section for HomeSafe checks Customizing Keyword Blocking URL Checking Parental Control Edit Services Service Description RLOGINTCP513 PPTPTUNNELGRE0RCMDTCP512 REALAUDIOTCP7070 Parental Control Edit Access, you should select the unrestricted User access will be denied after the EndIf you want to allow twenty-four hour Check box Parental Control Bypass List Weekdays or Weekend boxes Parental Control 12-19 Page Guidelines For Enhancing Security With Your Firewall Chapter FirewallIntroduction Firewall Settings Screen Firewall Settings Firewall, NAT and Remote Management LAN-to-WAN rulesNo Log Log All log all LAN to WAN packets Services WAN-to-LAN rules Firewall Service Click Clear All to empty the Blocked Service Remote Management Page Only LAN only Neither Disable Chapter Remote Management ScreensRemote Management Overview Remote Management Limitations Remote Management and NAT Configuring WWWSystem Timeout Configuring Telnet Telnet Configuration on a TCP/IP Network Configuring FTP Remote Management Telnet Snmp Remote Management FTP Snmp is only available if TCP/IP is configured Snmp Management Model Configuring Snmp Supported MIBsSnmp Traps Snmp Traps Remote Management Snmp Configuring DNS Remote Management DNS Configuring Security Icmp Remote Management Screens 14-11 Page HomeSafe User’s Guide VPN Screens 14-1 Logs and Maintenance Chapter Centralized Logs View Log Log Settings Settings, see section Log Settings When Log is Full DailyWeekly Hourly Status Screen Chapter MaintenanceMaintenance Overview Maintenance System Statistics System Statistics Maintenance Dhcp Table Dhcp Table Screen Any IP Table Association List Maintenance Firmware Upload 16.6 F/W Upload Screen Configuration Screen Upload Warning Maintenance Restore Configuration Backup ConfigurationRestore Configuration Back to Factory Defaults 11 Configuration Restore Successful 14 Factory Defaults Restart Screen SMT General Configuration Page Chapter Introducing the SMT SMT Introduction Main Menu Commands Navigating the SMT InterfaceOperation Keystroke Description Enter System Management Terminal Interface Summary Main Menu Summary? or ChangeMe Menu Title Description Changing the System Password Menu 23 System Password Chapter Menu 1 General Setup General SetupProcedure To Configure Menu Field Description Example Procedure to Configure Dynamic DNS Select Yes to configure Menu 1.1 Configure Dynamic DNS User YesDynamicDNS Specified IP Address field Chapter Menu 2 WAN Setup WAN SetupIntroduction to WAN From the main menu, enter 2 to open menuPage Chapter Menu 3 LAN Setup LAN SetupProtocol Dependent Ethernet Setup 20.3 TCP/IP Ethernet Setup and Dhcp Menu 3.2 TCP/IP and Dhcp Ethernet Setup Menu 3.2 Dhcp Ethernet Setup Fields Menu 3.2 LAN TCP/IP Setup Fields BothRIP-1 RIP-1,RIP-2B or RIP-2M IP Alias Setup Physical Network & Partitioned Logical Networks Field Description Example Essid Wireless LAN SetupBoth, In Only, Out Only or None Disable CH06 2437MHzRTS Auto Configuring MAC Address Filter Mixed Configuring Roaming on the HomeSafe Menu 3.5.1 Wlan MAC Address Filter 10 Menu 3.5.2 Roaming Configuration Menu 3.5.2 Roaming ConfigurationPage Chapter Internet Access Introduction to Internet Access SetupMenu 4 Internet Access Setup Ethernet Ethernet Encapsulation Configuring the Pptp Client Configuring the PPPoE Client DefaultNew Fields in Menu 4 Pptp Screen New Fields in Menu 4 PPPoE screen 21-4 Internet Access Remote Node Profile Setup Chapter Remote Node ConfigurationIntroduction to Remote Node Setup Ethernet AliasPress Enter to go to Menu 11.3 Remote Node Network Layer Options Outgoing Authentication Protocol Nailed-Up Connection Fields in Menu 11.1 PPPoE Encapsulation Specific CHAP/PAP Edit IP Menu 11.1 Remote Node Profile for Pptp EncapsulationRemote Node Network Layer Options Dynamic Remote Node Filter SUA OnlyMany-to-One and Server RIP-1/RIP-2B/RIP-2M or None Traffic Redirect Setup Menu 11.5 Remote Node Filter Ethernet Encapsulation 22-8 Remote Node Configuration Chapter Static Route Setup IP Static Route Setup 23-2 Static Route Setup Chapter Dial-in User Setup Dial-in User SetupPage Menu 4 Applying NAT for Internet Access Applying NAT NAT Setup Full FeatureApplying NAT in Menus 4 NAT Address Mapping Sets SUA Address Mapping SetFollowing table explains the fields in this menu Menu 15.1.255 is read-only SUA Address Mapping Rules User-Defined Address Mapping Sets Ordering Your Rules Menu 15.1.1 First Set Field Desription ExampleEdit Select Rule item One-to-One,Many-to-One and Server types Configuring a Server behind NATFollow these steps to configure a server behind NAT General NAT Examples Example 1 Internet Access OnlyFollowing are some examples of NAT configuration Dynamic Inside Global Address is assigned by the ISP Example 2 Internet Access with an Inside ServerExample 3 Multiple Public IP Addresses With Inside Servers Enter 1 to configure the Address Mapping Sets Following figures show how to configure the first ruleAddress Translation field in menu 4 or menu 11.3 Then enter 15 from the main menu Enter 2 in Menu 15 NAT Setup Example 4 NAT Unfriendly Application Programs Example 3 Menu 20 Example 4 Menu 15.1.1 Address Mapping Rules Menu 15.3 Trigger Port Setup Page Access Methods Chapter Enabling the FirewallRemote Management and the Firewall Enabling the Firewall SMT Advanced Management Filter Structure of the HomeSafe Chapter Filter ConfigurationIntroduction to Filters Execute Configuring a Filter Set Abbreviations Used in the Filter Rules Summary Menu Configuring a Filter Rule Configuring a TCP/IP Filter RuleRule Abbreviations Used Abbreviation Description TCP/IP Filter Rule Field Description OptionsLess Equal Following figure illustrates the logic flow of an IP filter Configuring a Generic Filter Rule Executing an IP Filter Generic Filter Rule Menu Fields Example Filter HomeSafe User’s Guide Generic Filter Rule Menu Fields 10 Example Filter Menu Filter Types and NAT Firewall Versus Filters Applying a FilterApplying LAN Filters Applying Remote Node Filters 14 Filtering Remote Node Traffic Page Chapter Snmp Configuration About Snmp Supported MIBs Snmp ConfigurationFollowing table describes the Snmp configuration parameters Port PVC Permanent Virtual Circuit Snmp TrapsPorts and Permanent Virtual Circuits Page System Password Configuring External Radius ServerChapter System Security System Security 29.1.3 Enter 4 to display Menu 23.4 System Security IEEE802.1x No Access Allowed Menu 23.4 System Security IEEE802.1x PSK Group Data Privacy fieldMode Management Protocol is selected System Information and Diagnosis System Status Menu 24.1 System Maintenance Status System Maintenance Status Menu Fields Menu 1 General Setup System InformationSystem Information To get to the System Information Menu 24.3.2 System Maintenance Syslog and Accounting Log and TraceConsole Port Speed Syslog Logging System Information and Diagnosis 30-5 Diagnostic Call-Triggering Packet System Maintenance Menu Diagnostic WAN Dhcp 30-8 System Information and Diagnosis Chapter Firmware and Configuration File Maintenance Filename ConventionsFilename Conventions File Type Internal Name External Name Description Backup Configuration Using the FTP Command from the Command LineExample of FTP Commands from the Command Line Follow the instructions as shown in the next screen Backup Configuration Using Tftp General Commands for GUI-based FTP ClientsCommand Description GUI-based FTP Clients Restore Configuration Tftp Command ExampleRestore Using FTP Following is an example Tftp command Uploading Firmware and Configuration Files Restore Using FTP Session Example Firmware File Upload Configuration File UploadYou see the following screen when you telnet into menu Tftp File Upload FTP File Upload Command from the DOS Prompt ExampleFTP Session Example of Firmware File Upload Tftp Upload Command Example Chapter System Maintenance Command Interpreter ModeCommand Syntax Command Usage Call Control Support Budget Management Call History Call History Fields NTP RFC-1305 the default, is similar to Time RFC-868 Time and Date SettingTime and Date Setting Fields Resetting the Time Daylight Saving fieldPage Chapter Remote Management Remote Management LAN Only Chapter Call Scheduling Introduction to Call Scheduling Menu 26.1 Schedule Set Setup Once Applying Schedule Sets to a Remote Node PPPoE Appendices and Index Page Appendix a TroubleshootingProblem Corrective Action Control Group Edit screen Appendix B PPPoE PPPoE in ActionBenefits of PPPoE Traditional Dial-up Scenario Diagram B-2 The HomeSafeas a PPPoE Client HomeSafeas a PPPoE Client What is PPTP? Diagram C-1 Transport PPP frames over EthernetAppendix C Pptp and the HomeSafe Diagram C-2 Pptp Protocol Overview Diagram C-3 Example Message Exchange between PC and an ANTPptp Protocol Overview Control & PPP connections Pptp Page Chart 1 System Error Logs Chart 2 System Maintenance LogsAppendix D Log Descriptions LOG Message Description ID content Chart 3 UPnP LogsChart 4 Content Filtering Logs Chart 5 Icmp Type and Code Explanations Type Code Description Log Commands Configuring What You Want the HomeSafe to Log Displaying Logs Page If you need TCP/IP Appendix E Setting up Your Computer’s IP AddressWindows 95/98/Me If you need Client for Microsoft Networks Checking/Modifying Your Computer’s IP Address Windows 2000/NT/XP Click Advanced to go to the Advanced TCP/IP HomeSafe User’s Guide Turn on your HomeSafeand restart your computer if prompted Close the TCP/IP Control Panel Macintosh OS 8/9Select Ethernet built-in from the Connect via list Select Built-in Ethernet from the Show list Macintosh OSCheck your TCP/IP properties in the Network window Page Appendix F Wireless LAN and Ieee Benefits of a Wireless LANAd-hoc Wireless LAN Configuration Ieee Infrastructure Wireless LAN Configuration Diagram F-1 Peer-to-Peer Communication in an Ad-hoc Network Diagram F-2 ESS Provides Campus-Wide Coverage Page Appendix G Wireless LAN With Ieee Deployment Issues with IeeeSecurity Flaws with Ieee Advantages of the Ieee Diagram G-1 Sequences for EAP MD5-Challenge Authentication Appendix H Types of EAP Authentication EAP-TTLS Tunneled Transport Layer ServiceEAP-MD5 Message-Digest Algorithm EAP-TLS Transport Layer Security Difficulty Wireless Security Certificate ClientCertificate Server Dynamic Key Types of Antennas For Wlan Antenna CharacteristicsAppendix Antenna Selection and Positioning Recommendation Positioning Antennas Example Appendix J Brute-Force Password Guessing ProtectionChart 6 Brute-Force Password Guessing Protection Commands Page Ideal Setup Triangle Route ProblemTriangle Route Solutions Appendix K Triangle Route How To Configure Triangle Route Diagram K-3 IP AliasDiagram K-4 Gateways on the WAN Side Gateways on the WAN Side Appendix L Index BSS Ibss See NAT See Ttls Wlan