Setup guide

ManualsBrandsD-Link ManualsComputer equipmentDWL-500 - 11Mb Wireless LAN PCI Network Card

211

212

213

214

215

216

217

218

219

220

should be used with destination to this chain from a rule within another chain.

The policy of user added chains is none, and it cannot be changed. Chains cannot be removed, if

they contain rules (are not empty).

Notes

Because the NAT rules are applied first, it is important to hold this in mind when setting up firewall

rules, since the original packets might be already modified by the NAT.

The packets passing through the router are not processed against the rules of neither the input, nor

output chains.

Be careful about changing the default policy action to input and output chains! You may lose the

connection to the router, if you change the policy to drop, and there are no additional rules that

allow connection to the router.

Example

[admin@Wandy] ip firewall> print

# NAME POLICY

0 input accept

1 forward accept

2 output accept

[admin@Wandy] ip firewall> add name=router

[admin@Wandy] ip firewall> print

# NAME POLICY

0 input accept

1 forward accept

2 output accept

3 router none

[admin@Wandy] ip firewall>

IP Firewall Applications

Description

In this section some IP firewalling common applications and examples of them are discussed.

Basic Firewall Building Principles

Assume we have a router that connects a customer's network to the Internet. The basic firewall

building principles can be grouped as follows:

• Protect the router from unauthorized access

Connections to the addresses assigned to the router itself should be monitored. Only access

from certain hosts to certain TCP ports of the router should be allowed.

This can be done by putting rules in the input chain to match packets with the destination

address of the router entering the router through all interfaces.

• Protect the customer's hosts

Connections to the addresses assigned to the customer's network should be monitored. Only

access to certain hosts and services should be allowed.

This can be done by putting rules in the forward chain to match packets passing through the

router with the destination addresses of customer's network.

• Use source NAT (masquerading) to 'Hide' the Private Network behind one External