DrayTek IP Filter/Firewall Setup Owner's Manual

Call Filter: Enable/disable the Call Filter function and assign a start filter set.
Data Filter: Enable/disable the Data Filter function and assign a start filter set.
Настройки на регистрационния файл: Configure filter log settings.
- Няма: Log function is inactive.
- Блок: Log all blocked packets.
- пропуск: Log all passed packets.
- No Match: Log all unmatched packets.
MAC Address for Packet Duplication: Specify the MAC Address for duplicating logged packets to another network device.

Въведение

The IP Filter/Firewall function helps protect your local network against attack from outside. It also provides a method of restricting users on the local network from accessing the Internet.
Additionally, it can filter out specific packets to trigger the router to place an outgoing connection.

Овърview of the Firewall

The IP Filter/Firewall includes two types of filters: Call Filter and Data Filter. The former is designed to block or allow IP packets that will trigger the router to establish an outgoing connection. The latter is designed to block or allow which kind of IP packets are allowed to pass through the router when the WAN connection has been established.
In concept, when an outgoing packet is to be routed to the WAN, the IP Filter will decide if the packet should be forwarded to the Call Filter or the Data Filter. If the WAN link is down, the packet will enter the Call Filter.
If the packet is not allowed to trigger router dialling, it will be dropped. Otherwise, it will initiate a call to establish the WAN connection.
If the WAN link of the router is up, the packet will pass through the Data Filter. If the packet type is set to be blocked, it will be dropped. Otherwise, it will be sent to the WAN interface.
Alternatively, if an incoming packet enters from the WAN interface, it will pass through the Data Filter directly. If the packet type is set to be blocked, it will be dropped.
Otherwise, it will be sent to the internal LAN. The filter architecture is shown below.
The following sections will explain more about IP Filter/Firewall Setup using the Web Configurator. The Filter has 12 filter sets with 7 filter rules for each set.
There are a total of 84 filter rules for the IP Filter/Firewall Setup. By default, the Call Filter rules are defined in Filter Set 1, and the Data Filter rules are defined in Filter Set 2.
Обща настройка: Some general settings are available from this link.
DoS Defense Setup: The DoS Defense Functionality helps you to detect and mitigate DoS attacks.
Настройка на филтъра: Here, there are 12 filter sets for IP Filter configurations.
Set to Factory Default: Click here to restore the filter rules to default values.

Обща настройка

On the General Setup page, you can enable/disable the Call Filter or Data Filter and assign a Start Filter Set for each, configure the log settings, and set a MAC address for the logged packets to be duplicated to.
Call Filter: Check Enable to activate the Call Filter function. Assign a start filter set for the Call Filter.
Data Filter: Check Enable to activate the Data Filter function. Assign a start filter set for the Data Filter.
Log Flag: For troubleshooting needs, you can specify the filter log here.
Няма: The log function is inactive.
Блок: All blocked packets will be logged.
пропуск: All passed packets will be logged.
No Match: The log function will record all packets that are unmatched.
Забележка: The filter log will be displayed on the Telnet terminal when you type the “log -f” command.

MACAddress for Packet Duplication:

Logged packets may also be logged to another location via Ethernet. If you want to duplicate logged packets from the router to another network device, you must enter the other device’s MAC Address (HEX Format).
Type “0” to disable the feature (also see “Duplicate to LAN”). The feature will be helpful under Ethernet environments.

Accept Incoming Fragmented UDP Packets:

Some online games (for example, Half-Life) will use UDP packets with a large length to transfer data. It needs to be fragmented. As a secure firewall, Vigor will reject these kinds of packets to avoid being attacked by default.
You can enable the “Accept Incoming fragmented UDP Packet” function to accept these kinds of packets. Then you can play these kinds of online games. Of course, it might have some security concerns.

DoS Defense Setup

The DoS Defense Functionality helps you to detect and mitigate DoS attacks. Those attacks include the mass attacks and the vulnerability attacks.
The mass attacks attempt to use up all your system’s resources, while the vulnerability attacks try to paralyze the system by attacking the vulnerabilities of the protocol or operating system.
The DoS Defense Engine inspects each incoming packet against the attack signature database. Any packet that may paralyze the host in the security zone is blocked, and a syslog message is sent to the client.
Also, the DoS Defense Engine monitors the traffic behavior. Any anomaly situation violating the administrator’s configuration is reported, and the corresponding defense function is performed in order to mitigate the attack.
The following sections will explain in more detail about DoS Defense Setup by using the Web Configurator. It is a sub-functionality of IPFilter/Firewall. There are a total of 15 kinds of defense functions for the DoS Defense Setup. By default, the DoS Defense Functionality is disabled. And once the DoS Defense Functionality is enabled, by default, the threshold value is set to 300 packets per second, and the timeout value is 10 seconds. One thing that must be mentioned is that the threshold value should be not less than 150 packets per second, while the timeout value should be not less than 5 seconds. A brief description about the defense function is shown below when the defense function is enabled or disabled.
Enable DoS Defense: Click the Checkbox to activate the DoS Defense Functionality.
Enable SYN flood defense: Click the Checkbox to activate the SYN flood defense Function.
The router will discard the TCP SYN packets coming from the Internet and exceeding a configurable threshold (by default, 300 packets per second) in a period of time (by default, 10 seconds).
Enable UDP flood defense: Click the Checkbox to activate the UDP flood defense Function.
The router will discard the UDP packets coming from the Internet and exceeding a configurable threshold (by default, 300 packets per second) in a period of time (by default, 10 second).
Enable ICMP flood defense: Click the Checkbox to activate the ICMP flood defense Function.
The router will discard the ICMP echo requests coming from the Internet and exceeding a configurable threshold (by default, 300 packets per second) in a period of time (by default, 10 seconds).
Enable Port Scan detection: Click the Checkbox activate the Port Scan detection Function. The router will report a warning message when an intruder try to scan the host in the security zone, 300 ports in one second (configurable). The intruder launchs port scan to find out more information about the target host to perform attack in the future.
Enable Block IP options: Click the Checkbox to activate the Block IP optoins Function. The router will ignore any IP packets with option field appeared in its header.
Enable Block Land: Click the Checkbox to activate the Block Land Function. The router will discard any spoofed TCP packets having the identical source, destination IP addres,s and the same source, destination port number sent with SYN flag set to a system.
Enable Block Smurf: Click the Checkbox to activate the Block Smurf Function. The router will ignore any ICMP echo request destined to the broadcast address.
Enable Block trace route: Click the Checkbox to activate the Block trace route Function. The router will reject to forward any trace route packets.
Enable Block SYN fragment: Click the Checkbox to activate the Block SYN fragment Function. Any packets with SYN flag set and more fragment bit set is dropped.
Enable Block fraggle Attack: Click the Checkbox to activate the Block fraggle Attack Function. Any broadcast UDP packets received from the Internet is blocked.
Enable TCP flag scan: Click the Checkbox to activate the Block TCP flag scan Function. Any TCP packet with anomaly flag setting is dropped. Those scans include no flag scan, FIN without ACK scan, SYN FIN scan, Xmas scan, and full Xmas scan.
Enable Tear Drop: Click the Checkbox to activate the Block Ping of Death Function. This attack involves the perpetrator sending overlapping packets to the target. When the target’s machine attempts to reconstruct the packet,s the target’s machine hangs.
Any packets intended to do this are dropped.
Enable Ping of Death: Click the Checkbox to activate the Block Tear Drop Function. Many machines can be crashed by sending IP packets that exceed the maximum legal length. Any fragmented ICMP packets bigger than 1024 octets are discarded.
Enable Block ICMP fragment: Click the Checkbox to activate the Block ICMP fragment Function. Any ICMP packets with more fragment bit set are dropped.
Enable Block Unknown Protocol: Click the Checkbox to activate the Block Unknown Protocol Function. IP packet has a protocol field in the header to indicate the upper-layer protocol.
The protocol value bigger than 100 is not well-defined in the standard, therefore these packets should be discarded.

The warning message

All the warning message is sent to syslog client when the syslog function is enabled. The administer can setup the syslog client in the Syslog Setup by using Web Configurator. The administrator can view the warning messages coming from DoS Defense functionality through the Draytek Sylsog daemon. The message format is similar to those in IPFilter/Firewall except beginning with the keyword “DoS” and following an name about what kind attack is detected. DrayTek-IP-Filter-Firewall-Setup-FIG-6

Editing the Filter Sets

коментари: Enter filter set comments/description. Maximum length is 22 characters.
Правило за филтриране: Click a button numbered 1 ~ 7 to edit the filter rule.
Активен: Enable or disable the filter rule.
Next Filter Set: Specifies the next filter set to be linked behind the current filter set. The filters cannot be looped.
The following setup pages show the default settings for the Call Filter and the Data Filter.
You will see the Call Filter set is assigned to Set 1 and the Data Filter set to Set 2.

Editing the Filter Rules

Click the Filter Rule index button to enter the Filter Rule setup page for each filter. The following explains each configurable item in detail.
Comments: Enter filter set comments/description. Maximum length is 14 characters.
Check to enable the Filter Rule: Enables the filter rule.
Pass or Block: Specifies the action to be taken when packets match the rule.
Block Immediately: Packets matching the rule will be dropped immediately.
Pass Immediately: Packets matching the rule will be passed im-mediately.
Block If No Further Match: A packet matching the rule, and that does not match further rules, will be dropped.
Pass If No Further Match: A packet matching the rule, and that does not match further rules, will be passed through.
Branch to Other Filter Set: If the packet matches the filter rule, the next filter rule will branch to the specified filter set.
Duplicate to LAN: If you want to log the matched packets to another network device, check this box to enable it. The MAC Address is defined in General Setup > MAC Address for Logged Packets Duplication.
Log: Check this box to enable the log function. Use the Telnet command log-f to view трупите.
Direction: Sets the direction of packet flow. For the Call Filter, this set-ting is irrelevant.

For the Data Filter:

IN: Specifies the rule for filtering incoming packets.
OUT: Specifies the rule for filtering outgoing packets.
Protocol: Specifies the protocol(s) this filter rule will apply to.
IP Address: Specifies a source and destination IP address for this filter rule to apply to. Placing the symbol!
A particular IP Address will prevent this rule from being applied to that IP address. It is equal to the logical NOT operator.
Subnet Mask: Specifies the Subnet Mask for the IP Address column for this filter rule to apply to.
Operator: The operator column specifies the port number settings. If the Start Port is empty, the Start Port and the End Port columns will be ignored. The filter rule will filter out any port number.
If the End Port is empty, the filter rule will set the port number to be the value of the Start Port. Otherwise, the port number ranges between the Start Port and the End Port (including the Start Port and the End Port).
If the End Port is empty, the port number is not equal to the value of the Start Port. Otherwise, this port number is not between the Start Port and the End Port (including the Start Port and End Port).
Specifies that the port number is larger than the Start Port (includes the Start Port).
Specifies that the port number is less than the Start Port (includes the Start Port).
Keep State: When checked, protocol information about the TCP/UDP/ICMP communication sessions will be kept by the IP Filter/Firewall (the Firewall Protocol option requires that TCP or UDP or TCP/UDP or ICMP be selected for this to operate correctly).
Fragments: Specifies a fragmented packet action.
(Do not care): Specifies no fragment options in the filter rule.
Unfragmented: Applies the rule to unfragmented packets.
Fragmented: Applies the rule to fragmented packets.
Too Short: Applies the rule only to packets that are too short to con-tain a complete header.

Restricting Unauthorized Internet Services

This section will show a simple example to restrict someone from accessing WWW services. In this example, we assume the IP address of the access-restricted user is 192.168.1.10.
The filter rule is created in the Data Filter set and is shown below.
Port 80 is the HTTP protocol port number for WWW services.

Често задавани въпроси

How does the IP Filter/Firewall function work?

The IP Filter/Firewall includes Call Filter and Data Filter to block/allow specific packets for outgoing and incoming connections, respectively.

How many filter sets and rules are available in the IP Filter/Firewall setup?

There are 12 filter sets with 7 filter rules each, totaling 84 filter rules.

Документи / Ресурси

DrayTek IP Filter/Firewall Setup [pdf] Ръководство за употреба
IP Filter Firewall Setup, Filter Firewall Setup, Firewall Setup

Референции

Ръководство за потребителя

DrayTek IP Filter/Firewall Setup Owner’s Manual

DrayTek IP Filter/Firewall Setup

Спецификации

Инструкции за употреба на продукта