Table of Contents
Advertisement
Configure firewall filters
Target address definition Here you specify the target address for the IP packets for which this filter is valid. Take
Warning message for port
protocol association
Example of configuration for enabling the firewall for Web surfing.
First, set the response by the last filter rule to »discard«.
The IP packets for two services must be routed through the firewall in order that pages from the World Wide Web can
be displayed: DNS for establishing names and the »html data flow«. When you enter a URL in the Web browser, the
browser uses a DNS enquiry for transforming the plain-text name (for example www. Telekom. de) into an IP ad-
dress (in the example here 217. 160. 73. 88). After that, the browser establishes at least one connection to this IP ad-
dress via TCP/IP. This yields the following filter configuration:
The UDP and TCP protocol must be enabled for DNS (protocol name: domain) for the destination port 53 of any DNS
server from any non-privileged port; same applies for the return route.
Access to any destination addresses for port 80 must be possible for http requests for the TCP protocol via the WAN
interface from non-privileged ports. The return patch for reply packets must be enabled appropriately: From any In-
ternet IP addresses (0. 0. 0. 0 / 0) from port 80 to non-privileged ports for the WAN address of the PABX system.
Configuration example for a portmapping entry into the firewall for the ssh-protocol
The ssh protocol (secure shell) is used among other things for web server administration, or to implement VPN tun-
nels. Data can be transferred encrypted using the ssh protocol (not significant for configuration of the firewall howe-
ver). Normally, port 22 of the TCP protocol is used. In the example shown here, the web server in your LAN has the
set, assigned IP address 192.168.1.42. Administration access should be provided for this web server in your LAN via
ssh from the Internet. Please note that you also require equivalent filters for Port 80 if the contents of the web server
are to be accessible from the Internet
You must generate three rules for the firewall based on this information with the default setting »Response by last fil-
ter rule à discard«:
ssh_MAP:
ssh_WAN_in:
ssh_WAN_out:
Filter name
TCP-Flag Interfa-
NetBios block
none
ssh_portmap
none
ssh_WAN_in
none
ssh_WAN_out
none
24
Here you specify the source address for the IP packets for which this filter is valid.
Take into account any potential abstractions brought about by place holders.
into account any potential abstractions brought about by place holders.
A warning appears if you attempt to enter an unknown name in the field for the TCP
port. If this is bothersome you can suppress this message by removing the correspon-
ding check in the box.
This filter routes incoming packets from any IP addresses and non-privileged ports to
the Internet-end IP address of the telephone system router unit to the computer with
the IP address 192.168.1.42; Port 22 is retained.
This filter permits passing of incoming packets from any IP address and non-privile-
ged ports to the Internet-end IP address of the telephone system router unit.
This filter permits outgoing packets from Port 22 to pass through the WAN interface
(i. e. the connection for the DSL modem or the ISDN dial-up connection to the Inter-
net) to any IP address and non-privileged ports.
Action
Protocol
ce
WAN
discard
UDP
WAN
portmap
TCP
WAN
allow
TCP
WAN
allow
TCP
Connection
Source IP
Source port
out
0.0.0.0/0
in
0.0.0.0/0
in
0.0.0.0/0
out
WAN_ADDR
Target IP
Target port
137-139
0.0.0.0/0
any
22
192.168.1.42
any
WAN_ADDR
22
0.0.0.0/0
any
22
22
Advertisement
Table of Contents
