Quick links:
Product Overview
Installation
Settings and Administration
ADSL
SIP Support
Telephone ports
Network
Firewall
Wireless
VPN
Misc
Licenses
Troubleshooting
Differences
This shows you the differences between two versions of the page.
|
web_gui:security_profile [2010/11/17 10:45] mats |
web_gui:security_profile [2011/06/23 10:31] (current) mats |
||
|---|---|---|---|
| Line 9: | Line 9: | ||
| The main groups of settings controlling the firewall are: | The main groups of settings controlling the firewall are: | ||
| + | |||
| + | {{ :web_gui:security_profile.png?300|Security profile in rel 5.30}} | ||
| ===== Allowed applications ===== | ===== Allowed applications ===== | ||
| Line 17: | Line 19: | ||
| **Access servers from inside using WAN IP address** Check box if you want to be able to access your web, telnet, ssh or ftp server from inside using your global IP address. If box is not checked the servers can only be reached using their local IP address. | **Access servers from inside using WAN IP address** Check box if you want to be able to access your web, telnet, ssh or ftp server from inside using your global IP address. If box is not checked the servers can only be reached using their local IP address. | ||
| - | **PING receiver** Check box if you want ping-requests from the Internet answered by a PC on your LAN. Enter the PC's LAN IP address. | + | **PING receiver** Check box if you want ping-requests from the Internet answered by a PC on your LAN. Enter the PC's LAN IP address, or 127.0.0.1 to make the Internet Gate itself answer.\\ |
| - | (:!: Not recommended, as it is a security risk at "flood-pinging") [[wp>Ping]] | + | :!: Extreme security risk! Answering to ping-requests from Internet reveals your presence for attacks, e.g. "flood-pinging". [[wp>Ping]] |
| - | **SIP** Check box if you want the [[sip:start|SIP]] functionality to be allowed through. | + | **SIP** Check box if you want the [[sip:start|SIP]] functionality to be allowed through /answered. The IP address field could be filled in to allow only some IP addresses to send SIP traffic to the unit. Several IP addresses could be entered by using comma sign, dash or subnet notation.\\ |
| + | Example: "1.2.3.4 - 1.2.3.8, 5.5.5.5, 6.7.8.9/24" | ||
| - | **Remote configuration Web/Telnet/SNMP** Check box(es) if you want the configuration web interface (these pages), the command line interface (Telnet with port 57) or the SNMP server resp. to be accessible from the Internet. Choose if you want to use http (with port 66), https (with port 78), or both of them, when accessing the web pages from outside. | + | **Remote configuration Web/Telnet/SNMP** Check box(es) if you want the configuration web interface (these pages), the command line interface (Telnet with port 57) or the SNMP server resp. to be accessible from the Internet. The IP address/mask fields could be filled in to allow only one or a few IP addresses to access the configuration. Choose if you want to use http (with port 66), https (with port 78), or both of them, when accessing the web pages from outside. |
| (:!: Security risk!) [[wp>Telnet]] [[wp>SNMP]] | (:!: Security risk!) [[wp>Telnet]] [[wp>SNMP]] | ||
| Line 36: | Line 39: | ||
| ===== VPN Pass-through ===== | ===== VPN Pass-through ===== | ||
| - | controls VPN tunnels going through the firewall, thus VPN connections that are not [[VPN page|terminated]] in the unit itself. | + | controls [[wp>VPN]] tunnels going through the firewall, thus VPN connections that are not [[VPN page|terminated]] in the unit itself. |
| * [[IPSec pass-through]] | * [[IPSec pass-through]] | ||
| * [[IPSec NAT-T pass-through]] | * [[IPSec NAT-T pass-through]] | ||
| Line 55: | Line 58: | ||
| Redirections selected in priority order, 1:st row first. | Redirections selected in priority order, 1:st row first. | ||
| - | **Protocol** Protocol number or (for common protocols) name. Leave blank for "all protocols". | + | **Protocol** [[wp>List_of_IP_protocol_numbers|Protocol number]] or (for common protocols) name. Leave blank for "all protocols". |
| **outside IP address** Global IP address that is to be redirected. Only if you have received more than one global IP address from your Internet provider. Else leave empty. | **outside IP address** Global IP address that is to be redirected. Only if you have received more than one global IP address from your Internet provider. Else leave empty. | ||
| Line 115: | Line 118: | ||
| **Block sites** Enter a list of sites (comma separated) users should not be able to access. Compares the hostname part of the URL - the part before the first "/". Do not include the starting "www." part. Sites with their full name matching are blocked. If you do not specify the top-level domain all domains are denied.\\ | **Block sites** Enter a list of sites (comma separated) users should not be able to access. Compares the hostname part of the URL - the part before the first "/". Do not include the starting "www." part. Sites with their full name matching are blocked. If you do not specify the top-level domain all domains are denied.\\ | ||
| - | Example: "youtube.com,google" stops access to www.youtube.com, google.com, and google.co.uk, but allows youtube.co.uk, googlefight.com and en.wikipedia.org/wiki/google | + | Example: "youtube.com,google" stops access to %%www.youtube.com, google.com, and google.co.uk, but allows youtube.co.uk, googlefight.com and en.wikipedia.org/wiki/google%% |
| - | **Block IP numbers** Block use of IP address in URL (eg http://213.136.58.99) | + | **Block IP numbers** Block use of IP address in URL (eg %%http://213.136.58.99%%) |
| **Block filetypes** Enter a list of file extensions (comma separated) users should not be able to download. Compares the path part of the URL - the part after the first "/". Include the starting dot. File types exactly matching the extensions are blocked.\\ | **Block filetypes** Enter a list of file extensions (comma separated) users should not be able to download. Compares the path part of the URL - the part after the first "/". Include the starting dot. File types exactly matching the extensions are blocked.\\ | ||
