D-Link DFL-700 User Manual
D-Link DFL-700
Network Security Firewall
Manual
Building Networks for People
Ver.1.02
(20050419)
Contents
Introduction ..................................................................................... 7
Features and Benefits ........................................................................... 7
Introduction to Firewalls ........................................................................ 7
Introduction to Local Area Networking .................................................. 8
LEDs ..................................................................................................... 9
Physical Connections............................................................................ 9
Package Contents............................................................................... 10
System Requirements......................................................................... 10
Managing D-Link DFL-700 ............................................................ 11
Resetting the DFL700 ...............................................................................11
Administration Settings................................................................ 12
Administrative Access ......................................................................... 12
Add ping access to an interface ................................................................13
Add Admin access to an interface .............................................................13
Add Read-only access to an interface.......................................................14
Enable SNMP access to an interface ........................................................14
System............................................................................................ 15
Interfaces ............................................................................................ 15
Change IP of the LAN or DMZ interface ....................................................15
WAN Interface Settings – Using Static IP ..................................................16
WAN Interface Settings – Using DHCP .....................................................16
WAN Interface Settings – Using PPPoE....................................................17
WAN Interface Settings – Using PPTP......................................................18
WAN Interface Settings – Using BigPond..................................................19
Traffic Shaping ..........................................................................................19
MTU Configuration....................................................................................20
Routing................................................................................................ 21
Add a new Static Route.............................................................................22
Remove a Static Route..............................................................................22
Logging ............................................................................................... 23
Enable Logging .........................................................................................24
Enable Audit Logging ................................................................................24
Enable E-mail alerting for ISD/IDP events.................................................24
Time .................................................................................................... 26
Changing time zone ..................................................................................27
Using NTP to sync time.............................................................................27
2
Setting time and date manually .................................................................27
Firewall ........................................................................................... 28
Policy................................................................................................... 28
Policy modes.............................................................................................28
Action Types..............................................................................................28
Source and Destination Filter ....................................................................29
Service Filter.............................................................................................29
Schedule ...................................................................................................29
Intrusion Detection / Prevention ................................................................29
Traffic Shaping ..........................................................................................30
Add a new policy .......................................................................................31
Change order of policy ..............................................................................32
Delete policy .............................................................................................32
Configure Intrusion Detection....................................................................32
Configure Intrusion Prevention..................................................................33
Port mapping / Virtual Servers ............................................................ 34
Add a new mapping ..................................................................................34
Delete mapping.........................................................................................35
Administrative users............................................................................ 36
Add Administrative User............................................................................36
Change Administrative User Access level .................................................37
Change Administrative User Password .....................................................37
Delete Administrative User ........................................................................38
Users................................................................................................... 39
The DFL-700 RADIUS Support .................................................................39
Enable User Authentication via HTTP / HTTPS.........................................40
Enable RADIUS Support ...........................................................................40
Add User ...................................................................................................41
Change User Password ............................................................................41
Delete User ...............................................................................................42
Schedules ........................................................................................... 43
Add new recurring schedule......................................................................43
Services .............................................................................................. 44
Adding TCP, UDP or TCP/UDP Service ....................................................44
Adding IP Protocol ....................................................................................45
Grouping Services.....................................................................................45
Protocol-independent settings...................................................................46
VPN..................................................................................................... 47
Introduction to IPsec .................................................................................47
Introduction to PPTP .................................................................................48
Introduction to L2TP..................................................................................48
Point-to-Point Protocol ..............................................................................48
Authentication Protocols............................................................................49
PAP ............................................................................................................49
CHAP .........................................................................................................49
MS-CHAP v1 ..............................................................................................49
MS-CHAP v2 ..............................................................................................49
MPPE, Microsoft Point-To-Point Encryption ..............................................49
L2TP/PPTP Clients ...................................................................................50
L2TP/PPTP Servers ..................................................................................51
VPN between two networks ......................................................................53
VPN between two networks ......................................................................53
Creating a LAN-to-LAN IPSec VPN Tunnel ...............................................53
VPN between client and an internal network .............................................54
Creating a Roaming Users IPSec VPN Tunnel..........................................54
Adding a L2TP/PPTP VPN Client..............................................................55
Adding a L2TP/PPTP VPN Server ............................................................55
VPN – Advanced Settings ................................................................... 56
Limit MTU..................................................................................................56
IKE Mode ..................................................................................................56
IKE DH Group ...........................................................................................56
PFS – Perfect Forward Secrecy................................................................56
NAT Traversal ...........................................................................................56
Keepalives ................................................................................................56
Proposal Lists............................................................................................57
IKE Proposal List.......................................................................................57
IPSec Proposal List...................................................................................57
Certificates .......................................................................................... 58
Trusting Certificates ..................................................................................58
Local identities ..........................................................................................58
Certificates of remote peers ......................................................................58
Certificate Authorities ................................................................................59
Identities....................................................................................................59
Content Filtering.................................................................................. 60
Active content handling .............................................................................60
Edit the URL Global Whitelist ....................................................................61
Edit the URL Global Blacklist.....................................................................62
Active content handling .............................................................................63
Servers ...........................................................................................64
DHCP Server Settings......................................................................... 64
Enable DHCP Server ................................................................................65
Enable DHCP Relay..................................................................................65
Disable DHCP Server/Relayer ..................................................................65
DNS Relayer Settings ......................................................................... 66
Enable DNS Relayer .................................................................................66
Disable DNS Relayer ................................................................................67
Tools ............................................................................................... 68
4
Ping ..................................................................................................... 68
Ping Example............................................................................................68
Dynamic DNS...................................................................................... 69
Add Dynamic DNS Settings ......................................................................69
Backup ................................................................................................ 70
Exporting the DFL-700’s Configuration......................................................70
Restoring the DFL-700’s Configuration .....................................................70
Restart/Reset ...................................................................................... 71
Restarting the DFL-700 .............................................................................71
Restoring system settings to factory defaults ............................................71
Upgrade .............................................................................................. 73
Upgrade Firmware ....................................................................................73
Upgrade IDS Signature-database .............................................................73
Status.............................................................................................. 74
System ................................................................................................ 74
Interfaces ............................................................................................ 75
VPN..................................................................................................... 76
Connections ........................................................................................ 77
DHCP Server ...................................................................................... 78
Users................................................................................................... 79
How to read the logs .....................................................................80
USAGE events .................................................................................... 80
DROP events ...................................................................................... 80
CONN events ...................................................................................... 80
Step by step guides ...................................................................... 82
LAN-to-LAN VPN using IPsec............................................................. 83
Settings for Branch office............................................................................83
Settings for Main office ...............................................................................85
LAN-to-LAN VPN using PPTP ............................................................ 87
Settings for Branch office............................................................................87
Settings for Main office ...............................................................................90
LAN-to-LAN VPN using L2TP ............................................................. 94
Settings for Branch office............................................................................94
Settings for Main office ...............................................................................97
A more secure LAN-to-LAN VPN solution......................................... 101
Settings for Branch office..........................................................................101
Settings for Main office .............................................................................104
Windows XP client and PPTP server ................................................ 105
Settings for the Windows XP client ...........................................................105
Settings for Main office .............................................................................113
Windows XP client and L2TP server..................................................115
Settings for the Windows XP client ...........................................................115
Settings for Main office .............................................................................117
Content filtering ..................................................................................119
Intrusion detection and prevention .................................................... 123
Traffic shaping................................................................................... 126
Limit bandwidth to a service......................................................................126
Limit bandwidth to one or more IP addresses...........................................126
Guarantee bandwidth to a service ............................................................127
Appendixes .................................................................................. 129
Appendix A: ICMP Types and Codes ................................................ 129
Appendix B: Common IP Protocol Numbers ..................................... 131
LIMITED WARRANTY .................................................................. 132
6
Introduction
The DFL-700 provides three 10/100M Ethernet network interface ports, which are (1)
Internal/LAN, (1) External/WAN, and (1) DMZ port. It also provides easily operated software
WebUI that allows users to set system parameters or monitor network activities using a web
browser.
Features and Benefits
z Firewall Security
z VPN Server/Client Supported
z Content Filtering
z Bandwidth Management
DFL-700 features an extensive Traffic Shaper for bandwidth
management.
z Web Management
Configurable through any networked computer’s web browser using
Netscape or Internet Explorer.
z Access Control supported
Allows you to assign different access rights for different users. Like
Admin or Read-Only User.
Introduction to Firewalls
A firewall is a device that sits between your computer and the Internet that prevents
unauthorized access to or from your network. A firewall can be a computer using firewall
software or a special piece of hardware built specifically to act as a firewall. In most
circumstances, a firewall is used to prevent unauthorized Internet users from accessing
private networks or corporate LAN’s and Intranets.
A firewall watches all of the information moving to and from your network and analyzes
each piece of data. Each piece of data is checked against a set of criteria that the
administrator configures. If any data does not meet the criteria, that data is blocked and
discarded. If the data meets the criteria, the data is passed through. This method is called
packet filtering.
A firewall can also run specific security functions based on the type of application or type
of port that is being used. For example, a firewall can be configured to work with an FTP or
Telnet server. Or a firewall can be configured to work with specific UDP or TCP ports to allow
certain applications or games to work properly over the Internet.
Introduction to Local Area Networking
Local Area Networking (LAN) is the term used when connecting several computers
together over a small area such as a building or group of buildings. LAN’s can be connected
over large areas. A collection of LAN’s connected over a large area is called a Wide Area
Network (WAN).
A LAN consists of multiple computers connected to each other. There are many types of
media that can connect computers together. The most common media is CAT5 cable (UTP or
STP twisted pair wire.) On the other hand, wireless networks do not use wires; instead they
communicate over radio waves. Each computer must have a Network Interface Card (NIC),
which communicates the data between computers. A NIC is usually a 10Mbps network card, a
10/100Mbps network card or a wireless network card.
Most networks use hardware devices such as hubs or switches that each cable can be
connected to in order to continue the connection between computers. A hub simply takes any
data arriving through each port and forwards the data to all other ports. A switch is more
sophisticated, in that a switch can determine the destination port for a specific piece of data.
A switch minimizes network traffic overhead and speeds up the communication over a
network.
Networks take some time in order to plan and implement correctly. There are many ways
to configure your network. You may want to take some time to determine the best network
set-up for your needs.
8
LEDs
Power: A solid light indicates a proper connection to the power supply.
Status: System status indicators, flashes to indicate an active system. If the LED has a
solid light the unit is defective.
WAN, LAN & DMZ: Ethernet port indicators, Green. The LED flickers when the ports are
sending or receiving data.
Physical Connections
Console: Serial access to the firewall software, 9600, 8bit, None Parity, 1Stop bit.
DMZ Port: Use this port to connect to the company’s server(s), which needs direct
connection to the Internet (FTP, SNMP, HTTP, DNS).
Internal Ports (LAN): Use this port to connect to the internal network of the office.
External Port (WAN): Use this port to connect to the external router, DSL modem, or
Cable modem.
Reset: Reset the DFL-700 to the original default settings.
DC Power: connect one end of the power supply to this port, the other end to the
electrical wall outlet.
Package Contents
Contents of Package:
• D-Link DFL-700 Firewall
• Manual and CD
• Quick Installation Guide
• AC Power adapter
Note: Using a power supply with a different voltage rating than the one included
with the DFL-700 will cause damage and void the warranty for this product.
If any of the above items are missing, please contact your reseller.
System Requirements
• Computer with a Windows, Macintosh, or Unix based operating system with an
installed Ethernet adapter
• Internet Explorer or Netscape Navigator, version 6.0 or above, with JavaScript
enabled.
10
Managing D-Link DFL-700
When a change is
done to the
configuration a new
icon named Activate
Changes
When all changes and
administrator would like
to do is done the
changes need to be
saved and activated to
take effect, this is done
by clicking on the
Activate Changes
button on the Activate
Configuration Changes
page. What will happen
is that the firewall will
save the configuration
and reload it, letting the
new changes take effect.
But for the changes to
become permanent the admin need to login again. This have to be done before a configurable
timeout has been reached, this can be set on the Activate Configuration Changes page, by
choosing the time from the dropdown menu.
will appear.
Resetting the DFL700
To reset the DFL-700 to factory default settings you must hold the reset button down for at
least 15 seconds after powering on the unit. You will first hear one beep, which will indicate
that the firmware have started and the restoring have started, keep the button pressed in until
you hear two consecutive beeps shortly after each other. After this you can release the reset
button and the DFL-700 will continue to load and startup in default mode, i.e. with 192.168.1.1
on the LAN interface.
Administration Settings
Administrative Access
Ping – If enabled, specifies who can ping the interface IP of the DFL-700. Default if
enabled is to allow anyone to ping the interface IP.
Admin – If enabled allows all users with admin access to connect to the DFL-700 and
change configuration, can be HTTPS or HTTP and HTTPS.
Read-Only – If enabled allows all users with read-only access to connect to the DFL-700
and look at the configuration, can be HTTPS or HTTP and HTTPS. If there is no Admin
access specified on an interface and only read-only, admin users can still connect but will be
in read-only mode.
SNMP – Specifies if SNMP should be allowed or not on the interface, the DFL-700 only
supports read-only access.
12
Add ping access to an interface
To add ping access click on the interface you would like to add it to.
Follow these steps to add ping access to an interface.
Step 1. Click on the interface you would like to add it to.
Step 2. Enable the Ping checkbox.
Step 3. Specify what networks are allowed to ping the interface, for example
192.168.1.0/24 for a whole network or 172.16.0.1 – 172.16.0.10 for a range.
Click the Apply button below to apply the setting or click Cancel to discard changes.
Example:
Add Admin access to an interface
To add admin access click on the interface you would like to add it to. Only users with the
administrator rights can login on an interfaces where there is only admin access enabled.
Follow these steps to add admin access to an interface.
Step 1. Click on the interface you would like to add it to.
Step 2. Enable the Admin checkbox.
Step 3. Specify what networks are allowed to ping the interface, for example
192.168.1.0/24 for a whole network or 172.16.0.1 – 172.16.0.10 for a range.
Step 4. Specify protocol used to access the DFL-700 from the dropdown menu, either
HTTP and HTTPS (Secure HTTP) or only HTTPS.
Click the Apply button below to apply the setting or click Cancel to discard changes.
Example:
Add Read-only access to an interface
To add read-only access click on the interface you would like to add it to, note that if you
only have read-only access enable on an interface all users only get read-only access, even if
they are administrators.
Follow these steps to add read-only access to an interface.
Step 1. Click on the interface you would like to add it to.
Step 2. Enable the Read-only checkbox.
Step 3. Specify what networks are allowed to ping the interface, for example
192.168.1.0/24 for a whole network or 172.16.0.1 – 172.16.0.10 for a range.
Step 4. Specify protocol used to access the DFL-700 from the dropdown menu, either
HTTP and HTTPS (Secure HTTP) or only HTTPS.
Click the Apply button below to apply the setting or click Cancel to discard changes.
Example:
Enable SNMP access to an interface
Follow these steps to add read-only SNMP access to an interface.
Step 1. Click on the interface you would like to add it to.
Step 2. Enable the Read-only checkbox.
Step 3. Specify what networks are allowed to ping the interface, for example
192.168.1.0/24 for a whole network or 172.16.0.1 – 172.16.0.10 for a range.
Step 4. Specify the community string used to authenticate against the DFL-700.
Click the Apply button below to apply the setting or click Cancel to discard changes.
Example:
14
System
Interfaces
Click on System in the menu bar, and then click interfaces below it.
Change IP of the LAN or DMZ interface
Follow these steps to change the IP of the LAN or DMZ interface.
Step 1. Choose which interface to view or change under the Available interfaces list.
Step 2. Fill in the IP address of the LAN or DMZ interface. These are the address that will
be used to ping the firewall, remotely control it and use as gateway for the internal hosts or
DMZ hosts.
Step 3. Choose the correct Subnet mask of this interface from the drop down menu.
Click the Apply button below to apply the setting or click Cancel to discard changes.
WAN Interface Settings – Using Static IP
If you are using Static IP you have
to fill in the IP address information
provided to you by your ISP. All fields
are required except the Secondary
DNS Server. You should probably not
use the numbers displayed in these
fields, they are only used as an
example.
• IP Address – The IP
address of the WAN
interface. This is the
address that may be used to ping the firewall, remotely control it and be used as
source address for dynamically translated connections.
• Subnet Mask – Size of the external network.
• Gateway IP – Specifies the IP address of the default gateway used to reach for
the Internet.
• Primary and Secondary DNS Server – The IP addresses of your DNS servers,
only the Primary DNS is required.
WAN Interface Settings – Using DHCP
If you are using DHCP there is no
need to enter any values in any of
fields.
16
WAN Interface Settings – Using PPPoE
Use the following procedure to
configure the DFL-700 external
interface to use PPPoE (Point-to-Point
Protocol over Ethernet). This
configuration is required if your ISP
uses PPPoE to assign the IP address
of the external interface. You will have
to fill the username and password
provided to you by your ISP.
• Username – The login or
username supplied to you
by your ISP.
• Password – The
password supplied to you by your ISP.
• Service Name – When using PPPoE some ISPs require you to fill in a Service
Name.
• Primary and Secondary DNS Server – The IP addresses of your DNS servers,
these are optional and are often provided by the PPPoE service.
WAN Interface Settings – Using PPTP
PPTP over Ethernet connections
are used in some DSL and cable
modem networks.
You need your account details, and
possibly also IP configuration
parameters of the actual physical
interface that the PPTP tunnel runs
over. Your ISP should supply this
information.
•
Username – The login or
username supplied to you
by your ISP.
• Password – The
password supplied to you
by your ISP.
• PPTP Server IP – The IP
of the PPTP server that
the DFL-700 should
connect to.
Before PPTP can be used to connect to you ISP the physical (WAN) interface parameters
need to be supplied, it’s possible to use either DHCP or Static IP, this depends on the type of
ISP used and this information should be supplied by them.
If using static IP, this information need to be filled in.
• IP Address – The IP address of the WAN interface. This IP is used to connect to
the PPTP server.
• Subnet Mask – Size of the external network.
• Gateway IP – Specifies the IP address of the default gateway used to reach for
the Internet.
18
WAN Interface Settings – Using BigPond
The ISP Telstra BigPond uses
BigPond for authentication; the IP is
assigned with DHCP.
• Username – The login or
username supplied to you
by your ISP.
• Password – The
password supplied to you
by your ISP.
Traffic Shaping
When Traffic Shaping is enabled and the correct maximum up and downstream
bandwidth is specified it’s possible to control which policies have the highest priority when
large amounts of data are moving through the DFL-700. For example, the policy for the web
server might be given higher priority than the policies for most employees' computers.
You can use traffic shaping to guarantee the amount of bandwidth available through the
firewall for a policy. Guarantee bandwidth to make sure that there is enough bandwidth
available for a high-priority service. You can also use traffic shaping to limit the amount of
bandwidth available through the firewall for a policy. Limit bandwidth to keep less important
services from using bandwidth needed for more important services.
Note: If the limit is set too high, i.e. higher then your Internet connection, the traffic
shaping will not work at all.
MTU Configuration
To improve the performance of your Internet connection, you can adjust the maximum
transmission unit (MTU) of the packets that the DFL-700 transmits from its external interface.
Ideally, you want this MTU to be the same as the smallest MTU of all the networks between
the DFL-700 and the Internet. If the packets the DFL-700 sends are larger, they get broken up
or fragmented, which could slow down transmission speeds.
Trial and error is the only sure way of finding the optimal MTU, but there are some
guidelines that can help. For example, the MTU of many PPP connections is 576, so if you
connect to the Internet via PPPoE, you might want to set the MTU size to 576. DSL modems
may also have small MTU sizes. Most ethernet networks have an MTU of 1500.
Note: If you connect to your ISP using DHCP to obtain an IP address for the external
interface, you cannot set the MTU below 576 bytes due to DHCP communication
standards.
Click the Apply button below to apply the setting or click Cancel to discard changes.
20
Routing
Click on System in the menu bar, and then click Routing below it, this will give a list of all
configured routes, it will look something like this:
The Routes configuration section describes the firewall’s routing table. DFL-700 uses a
slightly different way of describing routes compared to most other systems. However, we
believe that this way of describing routes is easier to understand, making it less likely for
users to cause errors or breaches in security.
Interface – Specifies which interface packets destined for this route shall be sent through.
Network – Specifies the network address for this route.
Gateway – Specifies the IP address of the next router hop used to reach the destination
network. If the network is directly connected to the firewall interface, no gateway address is
specified.
Local IP Address – The IP address specified here will be automatically published on the
corresponding interface. This address will also be used as the sender address in ARP queries.
If no address is specified, the firewalls own interface IP address will be used.
Proxy ARP – Specifies that the firewall shall publish this route via Proxy ARP.
One advantage with this form of notation is that you can specify a gateway for a particular
route, without having a route that covers the gateway’s IP address or despite the fact that the
route that covers the gateway’s IP address is normally routed via another interface.
The difference between this form of notation and that most commonly used is that there,
you do not specify the interface name in a separate column. Instead, you specify the IP
address of each interface as a gateway.
Note: The firewall does not Proxy ARP routes on VPN interfaces.
Add a new Static Route
Follow these steps to add a new route.
Step 1. Go to System and Routing.
Step 2. Click on Add new in the bottom of the routing table.
Step 3. Choose the interface that the route should be sent trough from the dropdown
menu.
Step 4. Specify the Network and Subnet mask.
Step 5. If this network is behind a remote gateway enable the checkbox Network is
behind remote gateway and specify the IP of that gateway
Click the Apply button below to apply the setting or click Cancel to discard changes.
Remove a Static Route
Follow these steps to add a remove a route.
Step 1. Go to System and Routing.
Step 2. Take Edit after the route you would like to remove.
Step 3. Check the checkbox named Delete this route.
Click the Apply button below to apply the setting or click Cancel to discard changes.
22
Logging
Click on System in the menu bar, and then click Logging below it.
Logging, the ability to audit decisions made by the firewall, is a vital part in all network
security products. The D-Link DFL-700 provides several options for logging its activity. The DLink DFL-700 logs its activities by sending the log data to one or two log receivers in the
network.
All logging is done to Syslog recipients. The log format used for syslog logging is suitable
for automated processing and searching.
The D-Link DFL-700 specifies a number of events that can be logged. Some of those
events, for instance, startup and shutdown events, are mandatory, and will always generate
log entries. Others, for instance to log if when allowed connections are opened and closed, is
configurable. It’s also possible to have E-mail alerting for IDS/IDP events to up to three email
addresses.
Enable Logging
Follow these steps to enable logging.
Step 1. Enable syslog by checking the Syslog box.
Step 2. Fill in your first syslog server as Syslog server 1, if you have two syslog servers
you have to fill in the second one as Syslog server 2. You must fill in at least one syslog
server for logging to work.
Step 3. Specify what facility to use by selecting the appropriate syslog facility. Local0 is
the default facility.
Click the Apply button below to apply the setting or click Cancel to discard changes.
Enable Audit Logging
To start auditing all traffic trough the firewall, follow the sets below and the firewall will start
logging all traffic trough the firewall, this is needed for running third party log analyzers on the
logs and to see how much traffic different connections use.
Follow these steps to enable auditing.
Step 1. Enable syslog by checking the Enable audit logging box.
Click the Apply button below to apply the setting or click Cancel to discard changes.
Enable E-mail alerting for ISD/IDP events
Follow these steps to enable E-mail alerting.
Step 1. Enable E-mail alerting by checking the Enable E-mail alerting for IDS/IDP
events checkbox.
Step 2. Choose the sensitivity level.
Step 3. In the SMPT Server field, fill in the SMTP server to which the DFL-700 should
send email.
Step 4. Specify up to three valid email addresses to receive the email alerts.
Click the Apply button below to apply the setting or click Cancel to discard changes.
24
Intrusion attacks will always be logged in the usual logs if IDS is enabled for any of the
rules.
For more information about how to enable intrusion detection and prevention on a policy
or port mapping, read more under Policies and Port Mappings in the Firewall section below.
Time
Click on System in the menu bar, and then click Time below it. This will give you the
option to either set the system time by syncing to an Internet Network Time Server (NTP) or
by entering the system time by hand.
26
Changing time zone
Follow these steps to change the time zone.
Step 1. Choose the correct time zone in the drop down menu.
Step 2. Specify your daylight time or choose no daylight saving time by checking the
correct box.
Click the Apply button below to apply the setting or click Cancel to discard changes.
Using NTP to sync time
Follow these steps to sync to an Internet Time Server.
Step 1. Enable synchronization by checking the Enable NTP box.
Step 2. Enter the Server IP Address or Server name with which you want to synchronize.
Click the Apply button below to apply the setting or click Cancel to discard changes.
Setting time and date manually
Follow these steps to set the system time by hand.
Step 1. Checking the Set the system time box.
Step 2. Choose the correct date.
Step 3. Set the correct time in 24-hour format.
Click the Apply button below to apply the setting or click Cancel to discard changes.
Firewall
Policy
The Firewall Policy configuration section is the "heart" of the firewall. The policies are the
primary filter that is configured to allow or disallow certain types of network traffic through the
firewall. The policies also regulate how bandwidth management, traffic shaping, is applied to
traffic flowing through the WAN interface of the firewall.
When a new connection is being established through the firewall, the policies are
evaluated, top to bottom, until a policy that matches the new connection is found. The Action
of the rule is then carried out. If the action is Allow, the connection will be established and a
state representing the connection is added to the firewall's internal state table. If the action is
Drop, the new connection will be refused. The section below will explain the meanings of the
various action types available.
Policy modes
The first step in configuring security policies is to configure the mode for the firewall. The
firewall can run in NAT or No NAT (Route) mode. Select NAT mode to use DFL-1000 network
address translation to protect private networks from public networks. In NAT mode, you can
connect a private network to the internal interface, a DMZ network to the dmz interface, and a
public network, such as the Internet, to the external interface. Then you can create NAT mode
policies to accept or deny connections between these networks. NAT mode policies hide the
addresses of the internal and DMZ networks from users on the Internet. In No NAT (Route)
mode you can also create routed policies between interfaces. Route mode policies accept or
deny connections between networks without performing address translation. To use NAT
mode select Hide source addresses (many-to-one NAT) and to use No NAT (Route) mode
choose No NAT.
Action Types
Drop – Packets matching Drop rules will immediately be dropped. Such packets will be
logged if logging has been enabled in the Logging Settings page.
Reject – Reject works in basically the same way as Drop. In addition to this, the firewall
sends an ICMP UNREACHABLE message back to the sender or, if the rejected packet was a
TCP packet, a TCP RST message. Such packets will be logged if logging has been enabled
in the Logging Settings page.
Allow – Packets matching Allow rules are passed to the stateful inspection engine, which
will remember that a connection has been opened. Therefore, rules for return traffic will not be
required as traffic belonging to open connections is automatically dealt with before it reaches
the policies. Logging is carried out if audit logging has been enabled in the Logging Settings
page.
28
Source and Destination Filter
Source Nets – Specifies the sender span of IP addresses to be compared to the received
packet. Leave this blank to match everything.
Source Users/Groups – Specifies if an authenticated username is needed for this policy
to match. Either make a list of usernames, separated by , or write Any for any authenticated
user. If it’s left blank there is no need for authentication for the policy.
Destination Nets – Specifies the span of IP addresses to be compared to the destination
IP of the received packet. Leave this blank to match everything.
Destination Users/Groups – Specifies if an authenticated username is needed for this
policy to match. Either make a list of usernames, separated by , or write Any for any
authenticated user. If it’s left blank there is no need for authentication for the policy.
Service Filter
Either choose a predefined service from the dropdown menu or make a custom.
The following custom services exist:
All – This service matches all protocols.
TCP+UDP+ICMP – This service matches all ports on either the TCP or the UDP protocol,
including ICMP.
Custom TCP – This service is based on the TCP protocol.
Custom UDP – This service is based on the UDP protocol.
Custom TCP+UDP – This service is based on either the TCP or the UDP protocol.
The following is used when making a custom service:
Custom source/destination ports – For many services, a single destination port is
sufficient. The source port most often be all ports, 0-65535. The http service, for instance, is
using destination port 80. A port range can also be used, meaning that a range 137-139
covers ports 137, 138 and 139. Multiple ranges or individual ports may also be entered,
separated by commas. For instance, a service can be defined as having source ports 102465535 and destination ports 80-82, 90-92, 95. In this case, a TCP or UDP packet with the
destination port being one of 80, 81, 82, 90, 91, 92 or 95, and the source port being in the
range 1024-65535, will match this service.
Schedule
If a schedule should be used for the policy, choose one from the dropdown menu, these
are specified on the Schedules page. If the policy should always be active, choose Always
from the dropdown menu.
Intrusion Detection / Prevention
The DFL-700 Intrusion Detection/Prevention System (IDS/IDP) is a real-time intrusion
detection and prevention sensor that identifies and takes action against a wide variety of
suspicious network activity. The IDS uses intrusion signatures, stored in the attack database,
to identify the most common attacks. In response to an attack, the IDS protect the networks
behind the DFL-700 by dropping the traffic. To notify of the attack the IDS sends an email to
the system administrators if email alerting is converted. There are two modes that can be
configured, either Inspection Only or Prevention. Inspection Only will only inspect the traffic
and if the DFL-700 sees anything it will log, email an alert (if configured) and pass on the
traffic, if Prevention is used the traffic will be dropped and logged and if configured a email
alert will be sent.
D-Link updates the attack database periodically. Since firmware version 1.30.00 automatic
updates are possible. If IDS or IDP is enabled for at least one of the policies or port mappings,
auto updating of the IDS database will be enabled. The firewall will then automatically
download the latest database from the D-Link website.
Traffic Shaping
The simplest way to obtain quality of service in a network, seen from a security as well as
a functionality perspective, is to have the components in the network, not the applications, be
responsible for network traffic control in well-defined choke points.
Traffic shaping works by measuring and queuing IP packets, in transit, with respect to a
number of configurable parameters. Differentiated rate limits and traffic guarantees based on
source, destination and protocol parameters can be created; much the same way firewall
policies are implemented.
There are three different priorities when configuring the traffic shaping, Normal, High and
Critical.
Limit works by limiting the inbound and outbound traffic to the specified speed. This is the
maximum bandwidth that can be used by traffic using this policy. Note however that if you
have other policies using limit; which in total is more then your total internet connection and
have configured the traffic limits on the WAN interface this limit is sometimes lowered to allow
traffic with higher priorities to have precedence.
By using Guarantee, you can traffic using a policy a minimum bandwidth, this will only
work if the traffic limits for the WAN interface are configured correctly.
30
Loading...