Firewall Features

By TG Publishing Team, published on May 7, 2004
Source: Tom's Guide US | Keywords: , , , , , ,
Contents

5. Firewall Features

The SL1000's firewall is perhaps its most powerful - and difficult to configure - part. All traffic flow through the router, both inbound and outbound, is controlled by Access Control List (ACL) rules. ACLs are used both for port / service filtering and port mapping / virtual servers. They are also used to configure the SL1000's multi-NAT features.

This system will probably be comfortable for those accustomed to dealing with "enterprise" level firewall and NAT routers. But SOHO types may get frustrated trying to navigate the ACL setup screens, which contain option settings that aren't needed (or useable) for their relatively simple needs. The good news is that the ACL's give you tight control over what packets can go where. The bad news is that you must remember to configure ACLs in cases where you normally wouldn't have to futz with the firewall settings on other products.

Studying the Inbound ACL screen (Figure 6), which is used to open ports in the firewall for virtual servers, will cover most of the firewall controls.

Figure 6: Inbound ACL rules
(click on the image for a full-sized view)

Port filtering (access control) uses the Outbound ACL screen (Figure 7), which is virtually the same as the Inbound. I had to set the rule shown to allow VPN traffic through the SL1000's firewall (more on that later).

Figure 7: Outbound ACL rules

Compared with what you normally see for port mapping controls, the SL1000's ACL screens present many more choices. Figure 6 shows an ACL that allows access from the Internet to an FTP server with an IP address of 192.168.2.11 sitting on the LAN side of the router.

The ACL rule controls let you specify just about everything that happens to a packet as it travels from one side of the firewall to the other. Here are the available options for each selector:

Source IP: Any, IP address, Subnet, Range, IP Pool
Destination IP: Any, IP address, Subnet, Range, IP Pool
Source Port: Any, Single, Range
Destination Port: Any, Single, Range, Service
NAT: None, IP address, NAT Pool

If I hadn't selected Service for the Destination Port in the FTP example, you would have also seen the Protocol selector with its options of All, TCP, UDP, ICMP, AH and ESP. The Outbound ACL screen looks pretty much the same as the Inbound except that the NAT selector offers an additional Interface selection which is the one you'll use unless you're doing reverse static or dynamic NAT.

Comments | Print | Send to a friend

Related albums

  CA Internet Security Suite 2007  
CA Internet Security Suite 2007
  CA Internet Security Suite 2007  
CA Internet Security Suite 2007
  CA Internet Security Suite 2007  
CA Internet Security Suite 2007
  New Macbooks Reviewed  
New Macbooks Reviewed

Sponsored links

Comments

Comments are closed on this page.

Sponsored links