Quick links:
Product Overview
Installation
Settings and Administration
ADSL
SIP Support
Telephone ports
Network
Firewall
Wireless
VPN
Misc
Licenses
Troubleshooting
Differences
This shows you the differences between two versions of the page.
|
web_gui:security_profile [2010/11/17 10:12] mats |
web_gui:security_profile [2011/06/23 10:31] (current) mats |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Security Profile ====== | ====== Security Profile ====== | ||
| - | The Security profile page allows you to edit any of the [[firewall:security profiles]] Hi, Lo or AC. | + | The Security profile page allows you to edit any of the [[firewall:security profiles]] **High**, **Low** or **AltConf**. |
| - | :!: Even though all three profiles are editable you are recommended to edit only profile AC (Alternative Configuration), and leave Hi and Lo unaltered. | + | :!: Even though all three profiles are editable you are recommended to edit only profile **AltConf** (Alternative Configuration), and leave **High** and **Low** unaltered. |
| - | Press **Get default values** to restore the security profiles to their original values. | + | :?: For some hints concerning port openings etc., see [[troubleshooting:application_problems|here]]. |
| + | |||
| + | Press **Get default values** to restore the security profile to its original values (then click "Apply"). | ||
| The main groups of settings controlling the firewall are: | The main groups of settings controlling the firewall are: | ||
| + | |||
| + | {{ :web_gui:security_profile.png?300|Security profile in rel 5.30}} | ||
| ===== Allowed applications ===== | ===== Allowed applications ===== | ||
| Line 15: | Line 19: | ||
| **Access servers from inside using WAN IP address** Check box if you want to be able to access your web, telnet, ssh or ftp server from inside using your global IP address. If box is not checked the servers can only be reached using their local IP address. | **Access servers from inside using WAN IP address** Check box if you want to be able to access your web, telnet, ssh or ftp server from inside using your global IP address. If box is not checked the servers can only be reached using their local IP address. | ||
| - | **PING receiver** Check box if you want ping-requests from the Internet answered by a PC on your LAN. Enter the PC's LAN IP address. | + | **PING receiver** Check box if you want ping-requests from the Internet answered by a PC on your LAN. Enter the PC's LAN IP address, or 127.0.0.1 to make the Internet Gate itself answer.\\ |
| - | (:!: Not recommended, as it is a security risk at "flood-pinging") [[wp>Ping]] | + | :!: Extreme security risk! Answering to ping-requests from Internet reveals your presence for attacks, e.g. "flood-pinging". [[wp>Ping]] |
| - | **SIP** Check box if you want the [[sip:start|SIP]] functionality to be allowed through. | + | **SIP** Check box if you want the [[sip:start|SIP]] functionality to be allowed through /answered. The IP address field could be filled in to allow only some IP addresses to send SIP traffic to the unit. Several IP addresses could be entered by using comma sign, dash or subnet notation.\\ |
| + | Example: "1.2.3.4 - 1.2.3.8, 5.5.5.5, 6.7.8.9/24" | ||
| - | **Remote configuration Web/Telnet/SNMP** Check box(es) if you want the configuration web interface (these pages), the command line interface (Telnet with port 57) or the SNMP server resp. to be accessible from the Internet. Choose if you want to use http (with port 66), https (with port 78), or both of them, when accessing the web pages from outside. | + | **Remote configuration Web/Telnet/SNMP** Check box(es) if you want the configuration web interface (these pages), the command line interface (Telnet with port 57) or the SNMP server resp. to be accessible from the Internet. The IP address/mask fields could be filled in to allow only one or a few IP addresses to access the configuration. Choose if you want to use http (with port 66), https (with port 78), or both of them, when accessing the web pages from outside. |
| (:!: Security risk!) [[wp>Telnet]] [[wp>SNMP]] | (:!: Security risk!) [[wp>Telnet]] [[wp>SNMP]] | ||
| Line 34: | Line 39: | ||
| ===== VPN Pass-through ===== | ===== VPN Pass-through ===== | ||
| - | controls VPN tunnels going through the firewall, thus VPN connections that are not [[VPN page|terminated]] in the unit itself. | + | controls [[wp>VPN]] tunnels going through the firewall, thus VPN connections that are not [[VPN page|terminated]] in the unit itself. |
| * [[IPSec pass-through]] | * [[IPSec pass-through]] | ||
| * [[IPSec NAT-T pass-through]] | * [[IPSec NAT-T pass-through]] | ||
| * [[PPTP pass-through]] | * [[PPTP pass-through]] | ||
| ===== Port redirection ===== | ===== Port redirection ===== | ||
| - | Manual opening of outside ports on the firewall. [[wp>Port_numbers|Port numbers]] | + | Manual opening of outside ports on the firewall. [[wp>Port_numbers|Port numbers]] [[wp>Transmission_Control_Protocol|TCP]] [[wp>User_Datagram_Protocol|UDP]] |
| If you enter one outside port , you can enter a different inside port to redirect the data stream. If you leave inside port empty, the data will be sent to the same port number as opened. | If you enter one outside port , you can enter a different inside port to redirect the data stream. If you leave inside port empty, the data will be sent to the same port number as opened. | ||
| Line 53: | Line 58: | ||
| Redirections selected in priority order, 1:st row first. | Redirections selected in priority order, 1:st row first. | ||
| - | **Protocol** Protocol number or (for common protocols) name. Leave blank for "all protocols". | + | **Protocol** [[wp>List_of_IP_protocol_numbers|Protocol number]] or (for common protocols) name. Leave blank for "all protocols". |
| **outside IP address** Global IP address that is to be redirected. Only if you have received more than one global IP address from your Internet provider. Else leave empty. | **outside IP address** Global IP address that is to be redirected. Only if you have received more than one global IP address from your Internet provider. Else leave empty. | ||
| Line 98: | Line 103: | ||
| **ICQ (Send Message only)** - Check box if you only want to send messages to other ICQ users. To utilize the more advanced feautures check ICQ box under "Allowed applications" instead.\\ | **ICQ (Send Message only)** - Check box if you only want to send messages to other ICQ users. To utilize the more advanced feautures check ICQ box under "Allowed applications" instead.\\ | ||
| **inside -> DMZ** - Allow all, all TCP or all UDP traffic from LAN to DMZ.\\ | **inside -> DMZ** - Allow all, all TCP or all UDP traffic from LAN to DMZ.\\ | ||
| - | **Other TCP ports** - Open specific port numbers (only for advanced users)\\ | + | **Other TCP ports** - Open specific port numbers (only for advanced users) [[wp>Transmission_Control_Protocol|TCP]]\\ |
| (several ports can be entered, separated by comma, along with port ranges "xxx-yyy")\\ | (several ports can be entered, separated by comma, along with port ranges "xxx-yyy")\\ | ||
| - | **Other UDP ports** - Open specific port numbers (only for advanced users)\\ | + | **Other UDP ports** - Open specific port numbers (only for advanced users) [[wp>User_Datagram_Protocol|UDP]]\\ |
| (several ports can be entered, separated by comma, along with port ranges "xxx-yyy") | (several ports can be entered, separated by comma, along with port ranges "xxx-yyy") | ||
| ===== ===== | ===== ===== | ||
| Line 113: | Line 118: | ||
| **Block sites** Enter a list of sites (comma separated) users should not be able to access. Compares the hostname part of the URL - the part before the first "/". Do not include the starting "www." part. Sites with their full name matching are blocked. If you do not specify the top-level domain all domains are denied.\\ | **Block sites** Enter a list of sites (comma separated) users should not be able to access. Compares the hostname part of the URL - the part before the first "/". Do not include the starting "www." part. Sites with their full name matching are blocked. If you do not specify the top-level domain all domains are denied.\\ | ||
| - | Example: "youtube.com,google" stops access to www.youtube.com, google.com, and google.co.uk, but allows youtube.co.uk, googlefight.com and en.wikipedia.org/wiki/google | + | Example: "youtube.com,google" stops access to %%www.youtube.com, google.com, and google.co.uk, but allows youtube.co.uk, googlefight.com and en.wikipedia.org/wiki/google%% |
| - | **Block IP numbers** Block use of IP address in URL (eg http://213.136.58.99) | + | **Block IP numbers** Block use of IP address in URL (eg %%http://213.136.58.99%%) |
| **Block filetypes** Enter a list of file extensions (comma separated) users should not be able to download. Compares the path part of the URL - the part after the first "/". Include the starting dot. File types exactly matching the extensions are blocked.\\ | **Block filetypes** Enter a list of file extensions (comma separated) users should not be able to download. Compares the path part of the URL - the part after the first "/". Include the starting dot. File types exactly matching the extensions are blocked.\\ | ||
| Line 132: | Line 137: | ||
| Check the box to allow such traffic to pass through. | Check the box to allow such traffic to pass through. | ||
| - | **Disable "ICMP close" (Port Unreachable)** Avoid "UDP connections" from being closed by ICMP Port Unreachable messages. | + | **Disable "ICMP close" (Port Unreachable)** Avoid "UDP connections" from being closed by ICMP Port Unreachable messages. [[wp>Internet_Control_Message_Protocol|ICMP]] |
| **Enable strict TCP inspection** Uncheck this if encountering compatibility problems with certain servers. | **Enable strict TCP inspection** Uncheck this if encountering compatibility problems with certain servers. | ||
| - | By disabling TCP inspection the firewall becomes a bit more "forgiving" with some common TCP rule violations some servers do when overloaded. | + | By disabling TCP inspection the firewall becomes a bit more "forgiving" with some common TCP rule violations some servers do when overloaded. [[wp>Transmission_Control_Protocol|TCP]] |
| + | |||
| + | **SYN flood detection** Checking this box will protect against an attack using flooding with SYN messages (SYN is the initial message for opening a TCP connection). [[wp>Transmission_Control_Protocol|TCP]] | ||
| - | **SYN flood detection** Checking this box will protect against an attack using flooding with SYN messages (SYN is the initial message for opening a TCP connection). | + | **SIP flood detection** Detect [[sip:start|SIP]] DoS attacks and block sender IP address. A sender of SIP messages will be blocked if the rate of SIP packets exceeds the High trigger level (packets/s) and unblocked when the rate goes down to Low. If Quarantine time is set the sender will be blocked for an additional number of seconds. [[wp>DoS]] |
| **IGMP/Multicast Proxy** | **IGMP/Multicast Proxy** | ||
| Line 148: | Line 155: | ||
| :!: You must enable IGMP/Multicast at [[#Applications from inside]] on this page to allow multicast traffic through the firewall!\\ | :!: You must enable IGMP/Multicast at [[#Applications from inside]] on this page to allow multicast traffic through the firewall!\\ | ||
| - | :!: The Internet connection of the multicast proxy is by default the current WAN interface, unless specified otherwise on the [[Extra WAN Interfaces]] page. | + | :!: The Internet connection of the multicast proxy is by default the current WAN interface, unless specified otherwise on the [[Extra WAN Interfaces]] page.\\ |
| + | [[wp>IGMP]] [[wp>Multicast]] | ||
| ===== ===== | ===== ===== | ||
| **FTP proxy mode** Select if FTP traffic should be subject to the internal FTP proxy. "Disabled" means that only address translation (NAT) is performed.\\ | **FTP proxy mode** Select if FTP traffic should be subject to the internal FTP proxy. "Disabled" means that only address translation (NAT) is performed.\\ | ||
| - | :!: FTP traffic is still admitted/rejected based on the other FTP settings on this page. | + | :!: FTP traffic is still admitted/rejected based on the other FTP settings on this page. [[wp>FTP]] [[wp>Proxy_server|Proxy]] |
| **Inactivity timeouts** Close the connection if no data has been transmitted for the specified time. Specific timeouts for particular ports/protocols may be added. | **Inactivity timeouts** Close the connection if no data has been transmitted for the specified time. Specific timeouts for particular ports/protocols may be added. | ||
