Filter to block web services | ZyXEL Communications P-2302HW

Filter to block web services

Prestige 2302 Support Notes

allowed in the pre-ZyNOS v3.40 firmware. Thus when you upgrade the firmware to ZyNOS v3.40, the old configuration is translated to the new format and any filter configuration inconsistence is logged. It is highly recommended that you check the system log (in SMT menu 24.3.1) before setting up the device on the network.

Note: The Prestige automatically deactivates the routing/bridging functions when an inconsistency is detected in the filter rule settings.

Filter to block web services

•Configuration

Before configuring a filter, you need to know the following information:

1.The outbound packet type (the protocol and port number)

2.The source IP address

Generally, the outbound packets for a web service could be as follows:

a. HTTP packet, TCP (06) protocol with port number 80 b. DNS packet, TCP (06) protocol with port number 53 or c. DNS packet, UDP (17) protocol with port number 53

To block web services on all LAN hosts, enter 0.0.0.0 for the source IP address. Otherwise enter the IP address of a LAN computer to block web services for that computer. The configuration procedure is described below.

oCreate a filter set in SMT menu 21, for example, set 1

oCreate three filter rules in menu 21.1.1, 21.1.2, and 21.1.3

Rule 1- block the HTTP packets, TCP (06) protocol type with port number 80

Rule 2- block the DNS packets, TCP (06) protocol type with port number 53

Rule 3- block the DNS packets, UDP (17) protocol type with port number 53 o Apply the filter set in menu 4

1.Create a filter set in menu 21

Menu 21 - Filter Set Configuration

Filter

Filter

23

All contents copyright (c) 2005 ZyXEL Communications Corporation.

Image 23

ZyXEL Communications P-2302HW manual Filter to block web services, Prestige 2302 Support Notes, The source IP address

Contents

VoIP Station Gateway With Lifeline/ DECT/ USBP-2302HW SERIES Support Notes INDEX Prestige 2302 Support Notes What is the difference between NAT and SUA? Unable to Get WAN IP from ISP CLI Command ListWhat is Voice over IP? How does Voice over IP work? Internet Connection Application NotesPrestige 2302 Support Notes General Application Notes Setting up the Prestige router 2. TCP/IP Installation3. TCP/IP Configuration 1. Accessing the Prestige Web Management Interface Prestige 2302 Support Notes All contents copyright c 2005 ZyXEL Communications Corporation Prestige 2302 Support Notes What is DHCP Relay? WAN IP Address field Setup the Prestige as a DHCP Relay IP Subnet Mask= Setup the Prestige as a DHCP Client Introduction Configure an Internal Server Behind the PrestigeConfiguration Telnet ServicePort Number The following table lists some common service port numbers Window98 PPTP Client / Internet / NT RAS Server Protocol Stack Configure a PPTP server Behind SUA The PPTP is already supported in Windows NT and Windows 98. For Windows 95, a software upgrade with Dial-Up Networking 1.2 is required ƒ Set the Prestige that connects to the ISP as the Internet gateway About Filters & Filter Examples How does the ZyXEL filter feature work? Filter Structure Filter Types and SUA Action Matched= Check Next Rule Action Not Matched= Check Next Rule Menu 21.1.1 - Generic Filter Rule Filter # 1,1Filter Type= Generic Filter Rule Active= Yes Offset= Length= Mask= N/A Value= N/A More= No Log= None Log= None Protocol and device rule cannot be active togetherprotocol filters= device filters= Edit IP/IPX/Bridge= No Route=Edit PPP Options= No Rem IP 2. The source IP address Filter to block web servicesGenerally, the outbound packets for a web service could be as follows 1. The outbound packet type the protocol and port number ENTER to Confirm or 2. Configure rule one for a. HTTP packets using TCP06 and port number 4. Rule 3 for c. DNS packets using UDP17 and port number 3. Configure rule 2 for b. DNS requests using TCP06 and port number A filter to block a specific client 2.Create one rule to block all packets from this client Before you Begin Key SettingsA filter to block a specific MAC address The following shows detailed information with Ethernet Version Select Generic Filter Rule in the Filter Type field Configurations Active Select Yes in the Active field Offset in bytes A filter to block NetBIOS packets Configure field Rule 2-Destination port number 137 with protocol number 17 UDP Action Not Matched= Check Next Rule Rule 4-Destination port number 138 with protocol number 17 UDP Rule 3-Destination port number 138 with protocol number 6 TCP Rule 5-Destination port number 139 with protocol number 6 TCP Rule 6-Destination port number 139 with protocol number 17 UDP Prestige 2302 Support Notes Rule 2-Source port number 137, Destination port number 53 with protocol number 17 UDP 1. What is DDNS? Using Dynamic DNS DDNS web site from the WAN when you have set up the DDNS settings. With DDNS, users can always access a web site regardless of the WAN IP address on the Prestige Network Management Using SNMP Service ProviderPassword Enable Wildcard 9. Traps 6. Reads7. Writes 8. Traversal operations Trap 2. SNMPv1 OperationsGetNext 3. ZyXEL SNMP Implementation If the machine warmstarts, the trap will be sent after booting 4. Configure the Prestige for SNMP entered, the Prestige will not send traps to any NMS manager Get Community Set Community Trusted Host Trap CommunityTrap Destination NMS managers UNIX Setup Using syslog4. Prestige Setup line = the WAN ID in a board channel = channel ID within the WAN Packet triggered logFilter log PPP Log What is IP Alias ? Using IP Alias Interface IP Alias Setup2004 ZyXEL Communications Corp ras ip ro st Enter here to CONFIRM or ESC to CANCEL DHCP Setup TCP/IP Setup Edit IP AliasIP Alias IP Alias Menu 3.2.1 - IP Alias Setup IP Alias 1= Yes IP Address= System Date and Time Settings on the Prestige Using IP Multicast Select IGMP-v1 for IGMP version 1 or IGMP-v2 for IGMP version Multicast How to set up the backup gateway? Using Prestige traffic redirectTraffic Redirect on the WAN What is Traffic Redirect ? Traffic Redirect Setup Traffic Redirect on the LAN Gateway BackupTimeout Active 1. What is UPnP Using Universal Plug n Play UPnP UPnP Operations Control Point PC1 2. Using UPnP in ZyXEL devicesDevice Prestige Service NAT function provided on the Prestige Select Enable UPnP service to activate UpnP on the device Prestige 2302 Support Notes All contents copyright c 2005 ZyXEL Communications Corporation Prestige 2302 Support Notes All contents copyright c 2005 ZyXEL Communications Corporation Prestige 2302 Support Notes Follow the 3 steps below to set up trunks on P-2302HWL/HWUDL-P1 Trunk Setup in P-2302HWL/HWUDL-P1 o Step 2 Access the web configurator and click VoIP Advance Setting Two examples are described next Example So how do you make a phone call over the PSTN and SIP networks? VoIP Application Notes SIP Account Setup Prestige 2302 Support Notes The following table describes the screen labels SIP Account ServiceLabel Description Reset AuthenticationPassword Settings Phone Use this field to select the phone port that you want to configureStep 3. In the navigation panel, click VoIP Phone Analog Phone The table below describes the related fields Listening VolumeSpeed dial Phone book setup Speaking Each fields detail description of the page is listed below Type EntrySpeed Dial Name Clear ZyNOS FAQWhat is ZyNOS? How to access the embedded web configurator? How do I upload the firmware via the web configurator? What should I do if I forget the system password? Why cant I telnet into Prestige from the WAN? How many network users does SUA/NAT support? What is SUA? When should I use SUA?What is the difference between NAT and SUA? What are Device and Protocol filters? Product FAQWhy cant I configure device or protocol filters? What is the Prestige Internet Access Sharing Router? How can I configure the Prestige? What is PPPoE?How do I know I am using PPPoE? Why does my provider use PPPoE? How does e-mail work through the Prestige? What network interface does the Prestige support?What can I do with the Prestige? Does the Prestige support dynamic IP addressing? What DHCP capability does the Prestige support? What is the difference between the Standard and RoadRunner service? How fast is the DSL connection? What network interface does the new Prestige series support?Does the Prestige support TFTP? Does the Prestige support TFTP over WAN? 1. If your ISP checks the MAC address a. Assigned By Select IP address attached on LAN 2. If your ISP checks the host name3. If your ISP checks the User ID c. My Login Name Enter the login user name given to you by your ISP What DDNS servers does the Prestige support? What is BOOTP/DHCP?What is DDNS? When do I need the DDNS service? How do I set up my Prestige to route IPsec packets over SUA? VoIP FAQWhat is DDNS wildcard? Can VPN tunnels still work on a Prestige using SUA? How does Voice over IP work? Why use VoIP?What is the relationship between codec and VoIP? What is the difference between H.323 and SIP? How are voice quality normally rated? What is voice quality?What is codec? Can H.323 and SIP interoperate with each other? I can register to the SIP server but cannot establish a call Which codec should I choose?What do I need in order to use SIP? I am unable to register to a SIP server What should I do if there may be a hardware problem with my Prestige? 1. If your ISP checks the MAC address Trouble ShootingUnable to Get WAN IP from ISP IP Address= 2. If your ISP checks the Host NameField settings Assigned By= System Name Enter the same name as the compute name on the computer 3. If your ISP checks the User IDField Setting Embedded Packet Trace Using Embedded Packet Trace 2. Offline Trace--capture the trace first and display later 1.1 Disable WAN packet trace sys trcp channel enet1 none1.2 Enable LAN packet trace sys trcp channel enet0 bothway 1. Online Trace--display the trace real time on screen = 0x330B 103 All contents copyright c 2005 ZyXEL Communications CorporationPrestige sys trcd parse Destination MAC Addr 104 All contents copyright c 2005 ZyXEL Communications Corporation 105 All contents copyright c 2005 ZyXEL Communications Corporation TCP Data Length=6 1.1 Disable LAN packet trace sys trcp channel enet0 none1.2 Enable WAN packet trace sys trcp channel enet1 bothway 106 All contents copyright c 2005 ZyXEL Communications Corporation 107 All contents copyright c 2005 ZyXEL Communications Corporation +Y.x 108 All contents copyright c 2005 ZyXEL Communications Corporation 109 All contents copyright c 2005 ZyXEL Communications Corporation 110 All contents copyright c 2005 ZyXEL Communications Corporation Offline Trace 1.7 Display specific trace packets sys trcp parse fromindex toindex LAN Frame ENET0-XMIT 112 All contents copyright c 2005 ZyXEL Communications Corporation 1.7 Display specific trace packets sys trcp parse fromindex toindex LAN Frame ENET1-RECV 114 All contents copyright c 2005 ZyXEL Communications Corporation a.P&Mq= Debugging PPPoE Connection Debugging PPPoE Connection Example- Trace Example on a crashed system 118 All contents copyright c 2005 ZyXEL Communications Corporation 119 All contents copyright c 2005 ZyXEL Communications Corporation 1. Online Trace--display real-time trace results on the screen LAN/WAN Packet Trace 121 All contents copyright c 2005 ZyXEL Communications Corporation 122 All contents copyright c 2005 ZyXEL Communications Corporation 123 All contents copyright c 2005 ZyXEL Communications Corporation 124 All contents copyright c 2005 ZyXEL Communications Corporation 125 All contents copyright c 2005 ZyXEL Communications Corporation 1.2 Enable WAN packet trace sys trcp channel mpoa00 bothway 126 All contents copyright c 2005 ZyXEL Communications Corporation 1.1 Disable WAN packet trace sys trcp channel mpoa00 none 128 All contents copyright c 2005 ZyXEL Communications Corporation CLI Command List