P-660H/HW-D Series User’s Guide 4 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers. 5 Does this rule conflict with any existing rules? 6 Once these questions have been answered, adding rules is simply a matter of plugging the information into the correct fields in the web configurator screens. 10.
P-660H/HW-D Series User’s Guide 10.4.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed nonrestricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN. WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN).
P-660H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 56 Firewall: General LABEL DESCRIPTION Active Firewall Select this check box to activate the firewall. The ZyXEL Device performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Bypass Triangle Route Select this check box to have the ZyXEL Device firewall permit the use of triangle route topology on the network.
P-660H/HW-D Series User’s Guide Figure 87 Firewall Rules The following table describes the labels in this screen. Table 57 Firewall Rules LABEL DESCRIPTION Firewall Rules Storage Space in Use This read-only bar shows how much of the ZyXEL Device's memory for recording firewall rules it is currently using. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red.
P-660H/HW-D Series User’s Guide Table 57 Firewall Rules (continued) LABEL DESCRIPTION Action This field displays whether the firewall silently discards packets (Drop), discards packets and sends a TCP reset packet or an ICMP destination-unreachable message to the sender (Reject) or allows the passage of packets (Permit) Schedule This field tells you whether a schedule is specified (Yes) or not (No). Log This field shows you whether a log is created when packets match this rule (Yes) or not (No).
P-660H/HW-D Series User’s Guide Figure 88 Firewall: Edit Rule 163 Chapter 10 Firewall Configuration
P-660H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 58 Firewall: Edit Rule LABEL DESCRIPTION Active Select this option to enable this firewall rule. Action for Matched Packet Use the drop-down list box to select what the firewall is to do with packets that match this rule. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.
P-660H/HW-D Series User’s Guide Table 58 Firewall: Edit Rule (continued) LABEL DESCRIPTION Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 10.6.2 Customized Services Configure customized services and port numbers not predefined by the ZyXEL Device. For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website.
P-660H/HW-D Series User’s Guide 10.6.3 Configuring A Customized Service Click a rule number in the Firewall Customized Services screen to create a new custom port or edit an existing one. This action displays the following screen. Refer to Section 9.1 on page 144 for more information. Figure 90 Firewall: Configure Customized Services The following table describes the labels in this screen.
P-660H/HW-D Series User’s Guide Figure 91 Firewall Example: Rules 3 In the Rules screen, select the index number after that you want to add the rule. For example, if you select “6”, your new rule becomes number 7 and the previous rule 7 (if there is one) becomes rule 8. 4 Click Add to display the firewall rule configuration screen. 5 In the Edit Rule screen, click the Edit Customized Services link to open the Customized Service screen.
P-660H/HW-D Series User’s Guide Figure 93 Firewall Example: Edit Rule: Destination Address 9 Use the Add >> and Remove buttons between Available Services and Selected Services list boxes to configure it as follows. Click Apply when you are done. Note: Custom services show up with an “*” before their names in the Services list box and the Rules list box.
P-660H/HW-D Series User’s Guide Figure 94 Firewall Example: Edit Rule: Select Customized Services On completing the configuration procedure for this Internet firewall rule, the Rules screen should look like the following. Rule 1 allows a “MyService” connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN.
P-660H/HW-D Series User’s Guide Figure 95 Firewall Example: Rules: MyService 10.8 Predefined Services The Available Services list box in the Edit Rule screen (see Section 10.6.1 on page 162) displays all predefined services that the ZyXEL Device already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service.
P-660H/HW-D Series User’s Guide Table 61 171 Predefined Services (continued) SERVICE DESCRIPTION H.323(TCP:1720) Net Meeting uses this protocol. HTTP(TCP:80) Hyper Text Transfer Protocol - a client/server protocol for the world wide web. HTTPS HTTPS is a secured http session often used in e-commerce. ICQ(UDP:4000) This is a popular Internet chat program. IPSEC_TRANSPORT/ TUNNEL(AH:0) The IPSEC AH (Authentication Header) tunneling protocol uses this service.
P-660H/HW-D Series User’s Guide Table 61 Predefined Services (continued) SERVICE DESCRIPTION SSDP(UDP:1900) Simole Service Discovery Protocol (SSDP) is a discovery service searching for Universal Plug and Play devices on your home network or upstream Internet gateways using DUDP port 1900. SSH(TCP/UDP:22) Secure Shell Remote Login Program. STRMWORKS(UDP:1558) Stream Works Protocol. SYSLOG(UDP:514) Syslog allows you to send system logs to a UNIX server.
P-660H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 62 Firewall: Anti Probing LABEL DESCRIPTION Respond to PING on The ZyXEL Device does not respond to any incoming Ping requests when Disable is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply to incoming WAN Ping requests. Otherwise select LAN & WAN to reply to both incoming LAN and WAN Ping requests. Do Not Respond to Requests for Unauthorized Services.
P-660H/HW-D Series User’s Guide If your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are often busy), then the default values should be reduced. You should make any changes to the threshold values before you continue configuring firewall rules. 10.10.
P-660H/HW-D Series User’s Guide 10.10.3 Configuring Firewall Thresholds The ZyXEL Device also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connections. Click Firewall, and Threshold to bring up the next screen. Figure 97 Firewall: Threshold The following table describes the labels in this screen.
P-660H/HW-D Series User’s Guide Table 63 Firewall: Threshold (continued) LABEL DESCRIPTION DEFAULT VALUES Maximum Incomplete Low This is the number of existing half-open 80 existing half-open sessions. sessions that causes the firewall to stop deleting half-open sessions. The ZyXEL Device continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below this number.
P-660H/HW-D Series User’s Guide 177 Chapter 10 Firewall Configuration
P-660H/HW-D Series User’s Guide C H A P T E R 11 Content Filtering This chapter covers how to configure content filtering. 11.1 Content Filtering Overview Internet content filtering allows you to create and enforce Internet access policies tailored to your needs. Content filtering gives you the ability to block web sites that contain key words (that you specify) in the URL. You can set a schedule for when the ZyXEL Device performs content filtering.
P-660H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 64 Content Filter: Keyword LABEL DESCRIPTION Active Keyword Blocking Select this check box to enable this feature. Block Websites that contain This box contains the list of all the keywords that you have configured the these keywords in the URL: ZyXEL Device to block. Delete Highlight a keyword in the box and click Delete to remove it. Clear All Click Clear All to remove all of the keywords from the list.
P-660H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 65 Content Filter: Schedule LABEL DESCRIPTION Schedule Select Active Everyday to Block to make the content filtering active everyday. Otherwise, select Edit Daily to Block and configure which days of the week (or everyday) and which time of the day you want the content filtering to be active. Active Select the check box to have the content filtering to be active on the selected day.
P-660H/HW-D Series User’s Guide 181 Chapter 11 Content Filtering
P-660H/HW-D Series User’s Guide CHAPTER 12 Static Route This chapter shows you how to configure static routes for your ZyXEL Device. 12.1 Static Route Each remote node specifies only the network to which the gateway is directly connected, and the ZyXEL Device has no knowledge of the networks beyond. For instance, the ZyXEL Device knows about network N2 in the following figure through remote node Router 1.
P-660H/HW-D Series User’s Guide Figure 102 Static Route The following table describes the labels in this screen. Table 67 Static Route LABEL DESCRIPTION # This is the number of an individual static route. Active Select the check box to activate this static route. Otherwise, clear the check box. Name This is the name that describes or identifies this route. Destination This parameter specifies the IP network address of the final destination. Routing is always based on network number.
P-660H/HW-D Series User’s Guide Figure 103 Static Route Edit The following table describes the labels in this screen. Table 68 Static Route Edit LABEL DESCRIPTION Active This field allows you to activate/deactivate this static route. Route Name Enter the name of the IP static route. Leave this field blank to delete this static route. Destination IP Address This parameter specifies the IP network address of the final destination. Routing is always based on network number.
P-660H/HW-D Series User’s Guide 185 Chapter 12 Static Route
P-660H/HW-D Series User’s Guide CHAPTER 13 Bandwidth Management This chapter contains information about configuring bandwidth management, editing rules and viewing the ZyXEL Device’s bandwidth management logs. 13.1 Bandwidth Management Overview ZyXEL’s Bandwidth Management allows you to specify bandwidth management rules based on an application and/or subnet. You can allocate specific amounts of bandwidth capacity (bandwidth budgets) to different bandwidth rules.
P-660H/HW-D Series User’s Guide Figure 104 Subnet-based Bandwidth Management Example 13.4 Application and Subnet-based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application. The following example table shows bandwidth allocations for application specific traffic from separate LAN subnets.
P-660H/HW-D Series User’s Guide 13.5.2 Fairness-based Scheduler The ZyXEL Device divides bandwidth equally among bandwidth classes when using the fairness-based scheduler; thus preventing one bandwidth class from using all of the interface’s bandwidth. 13.
P-660H/HW-D Series User’s Guide 13.6.2 Maximize Bandwidth Usage Example Here is an example of a ZyXEL Device that has maximize bandwidth usage enabled on an interface. The following table shows each bandwidth class’s bandwidth budget. The classes are set up based on subnets. The interface is set to 10240 kbps. Each subnet is allocated 2048 kbps. The unbudgeted 2048 kbps allows traffic not defined in any of the bandwidth filters to go out when you do not select the maximize bandwidth option.
P-660H/HW-D Series User’s Guide • Research requires more bandwidth but only gets its budgeted 2048 kbps because all of the unbudgeted and unused bandwidth goes to the higher priority sales and marketing classes. 13.6.2.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth The following table shows the amount of bandwidth that each class gets.
P-660H/HW-D Series User’s Guide 13.7 Over Allotment of Bandwidth You can set the bandwidth management speed for an interface higher than the interface’s actual transmission speed. Higher priority traffic gets to use up to its allocated bandwidth, even if it takes up all of the interface’s available bandwidth. This could stop lower priority traffic from being sent. The following is an example.
P-660H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 75 Media Bandwidth Management: Summary LABEL DESCRIPTION Interface These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface. Bandwidth management applies to all traffic flowing out of the router through the interface, regardless of the traffic’s source.
P-660H/HW-D Series User’s Guide Figure 106 Bandwidth Management: Rule Setup The following table describes the labels in this screen. Table 76 Bandwidth Management: Rule Setup 193 LABEL DESCRIPTION Direction Select the direction of traffic to which you want to apply bandwidth management. Service Select a service for your rule or you can select User Defined to go to the screen where you can define your own. Priority Select a priority from the drop down list box. Choose High, Mid or Low.
P-660H/HW-D Series User’s Guide 13.9.1 Rule Configuration Click the Edit icon or select User Defined from the Service drop-down list in the Rule Setup screen to configure a bandwidth management rule. Use bandwidth rules to allocate specific amounts of bandwidth capacity (bandwidth budgets) to specific applications and/or subnets. Figure 107 Bandwidth Management Rule Configuration The following table describes the labels in this screen.
P-660H/HW-D Series User’s Guide Table 77 Bandwidth Management Rule Configuration (continued) LABEL DESCRIPTION Use All Managed Bandwidth Select this option to allow a rule to borrow unused bandwidth on the interface. Bandwidth borrowing is governed by the priority of the rules. That is, a rule with the highest priority is the first to borrow bandwidth.
P-660H/HW-D Series User’s Guide Table 78 Services and Port Numbers SERVICES PORT NUMBER ECHO 7 FTP (File Transfer Protocol) 21 SMTP (Simple Mail Transfer Protocol) 25 DNS (Domain Name System) 53 Finger 79 HTTP (Hyper Text Transfer protocol or WWW, Web) 80 POP3 (Post Office Protocol) 110 NNTP (Network News Transport Protocol) 119 SNMP (Simple Network Management Protocol) 161 SNMP trap 162 PPTP (Point-to-Point Tunneling Protocol) 1723 13.