Quick links:
Product Overview
Installation
Settings and Administration
ADSL
SIP Support
Telephone ports
Network
Firewall
Wireless
VPN
Misc
Licenses
Troubleshooting
This is an old revision of the document!
A good understanding of how firewall rules work can be achieved by marking checkboxes on the Security Profile pages, and examining what new rules they add to the firewall rules:
Say you have a telnet server (192.168.0.10) that you want only one remote PC (11.50.17.69) on the Internet be able to access. Using the Security Profile page you can enable access of the Telnet server, but that allows all Internet PCs to access your server! Using the Security Profile page you cannot control firewall behaviour more precisely – but by editing the rules manually you can!
… (dport == sip'5060') && (proto == udp) accept proto == udp && dport == dhcpc'68' accept (dport == telnet'23') && proto == tcp modify static daddr 192.168.0.10 |
That extra line means: “if the incoming packet tries to access port 23, and is a TCP protocol packet, then forward it to PC 192.168.0.10”. TCP port 23 is the one used by Telnet.
That rule allows all port 23 traffic through.
Now it is fairly simple to modify that rule by adding one more restriction. We would like a rule like this:
(saddr == 11.50.17.69) && (dport == 23) && proto == tcp modify static daddr 192.168.0.10
The modified rule would mean: “if the incoming packet is coming from 11.50.17.69 and tries to access port 23, and is a TCP protocol packet, then forward it to PC 192.168.0.10”.
The modified rule will now only allow telnet traffic coming from 11.50.17.69 to pass through the firewall – it will not be true for any other incoming packets.