elmeg T444 User Manual page 28

Con fi gu re fi re wall fil ters
Tar get ad dress de fi ni ti on Here you spe ci fy the tar get ad dress for the IP pa ckets for which this fil ter is va lid. Take
War ning mes sa ge for port
pro to col as so cia ti on
Example of configuration for enabling the firewall for Web surfing.
First, set the re spon se by the last fil ter rule to »dis card«.
The IP pa ckets for two ser vi ces must be rou ted through the fi re wall in or der that pa ges from the World Wi de Web can
be dis play ed: DNS for estab lis hing na mes and the »html da ta flow«. When you en ter a URL in the Web browser, the
browser uses a DNS en qui ry for trans for ming the plain-text na me (for ex am ple www. Te le kom. de) in to an IP ad -
dress (in the ex am ple he re 217. 160. 73. 88). Af ter that, the browser estab lis hes at least one con nec ti on to this IP ad -
dress via TCP/IP. This yields the following filter configuration:
The UDP and TCP pro to col must be en ab led for DNS (pro to col na me: do main) for the des ti na ti on port 53 of any DNS
ser ver from any non-pri vi le ged port; sa me ap plies for the return route.
Ac cess to any des ti na ti on ad dres ses for port 80 must be pos si ble for http re quests for the TCP pro to col via the WAN
in ter fa ce from non-pri vi le ged ports. The re turn patch for re ply pa ckets must be en ab led ap pro pria te ly: From any In -
ter net IP ad dres ses (0. 0. 0. 0 / 0) from port 80 to non-pri vi le ged ports for the WAN address of the PABX system.
Configuration example for a portmapping entry into the firewall for the ssh-protocol
The ssh pro to col (se cu re shell) is used among ot her things for web ser ver ad mi nis tra ti on, or to im ple ment VPN tun -
nels. Da ta can be trans fer red en cryp ted using the ssh pro to col (not sig ni fi cant for con fi gu ra ti on of the fi re wall ho we -
ver). Nor mal ly, port 22 of the TCP pro to col is used. In the ex am ple shown he re, the web ser ver in your LAN has the
set, as sig ned IP ad dress 192.168.1.42. Ad mi nis tra ti on ac cess should be pro vi ded for this web ser ver in your LAN via
ssh from the In ter net. Plea se no te that you al so re qui re equi va lent fil ters for Port 80 if the con tents of the web server
are to be accessible from the Internet
You must ge ne ra te three ru les for the fi re wall ba sed on this in for ma ti on with the de fault set ting »Re spon se by last fil -
ter ru le à discard«:
ssh_MAP:
ssh_WAN_in:
ssh_WAN_out:
Fil ter na me TCP-Flag In ter fa -
Net Bi os block no ne
ssh_port map no ne
ssh_WAN_in no ne
ssh_WAN_out no ne
24
Here you spe ci fy the sour ce ad dress for the IP pa ckets for which this fil ter is va lid.
Take into ac count any po ten ti al ab strac tions brought about by pla ce holders.
into ac count any po ten ti al ab strac tions brought about by pla ce holders.
A war ning ap pe ars if you at tempt to en ter an un known name in the field for the TCP
port. If this is bot her so me you can sup press this mes sa ge by re mo ving the cor re spon -
ding check in the box.
This fil ter rou tes in co ming pa ckets from any IP ad dres ses and non-pri vi le ged ports to
the In ter net-end IP ad dress of the te le pho ne sys tem rou ter unit to the com pu ter with
the IP ad dress 192.168.1.42; Port 22 is retained.
This fil ter per mits pas sing of in co ming pa ckets from any IP ad dress and non-pri vi le -
ged ports to the In ter net-end IP ad dress of the te le pho ne sys tem router unit.
This fil ter per mits out going pa ckets from Port 22 to pass through the WAN in ter fa ce
(i. e. the con nec ti on for the DSL mo dem or the ISDN dial-up con nec ti on to the In ter -
net) to any IP ad dress and non-pri vi le ged ports.
Ac ti on Pro to col
ce
WAN dis card UDP
WAN port map TCP
WAN al low TCP
WAN al low TCP
Con nec ti on Sour ce IP Sour ce port
out 0.0.0.0/0
in 0.0.0.0/0
in 0.0.0.0/0
out WAN_ADDR
Tar get IP Tar get port
137-139 0.0.0.0/0 any
22 192.168.1.42
any WAN_ADDR
22 0.0.0.0/0 any
22
22