Setup guide

ManualsBrandsD-Link ManualsComputer equipmentDWL-500 - 11Mb Wireless LAN PCI Network Card

211

212

213

214

215

216

217

218

219

220

0 ;;; Allow established TCP connections

protocol=tcp tcp-options=non-syn-only connection-state=established

action=accept

1 ;;; Allow UDP connections

protocol=udp action=accept

2 ;;; Allow ICMP messages

protocol=icmp action=accept

3 ;;; Allow access from 'trusted' network 10.5.8.0/24

src-address=10.5.8.0/24 action=accept

4 ;;; Reject everything else

action=reject log=yes

[admin@Wandy] ip firewall rule input>

Thus, the input chain will accept only allowed connections and reject, and log everything else.

Protecting the Customer's Network

To protect the customer's network, we should match all packets with destination address

192.168.0.0/24 that are passing through the router. This can be done in the forward chain. We can

match the packets against the IP addresses in the forward chain, and then jump to another chain,

say, customer. We create the new chain and add rules to it:

[admin@Wandy] ip firewall> add name=customer

[admin@Wandy] ip firewall> print

# NAME POLICY

0 input accept

1 forward accept

2 output accept

3 customer none

[admin@Wandy] ip firewall> rule customer

[admin@Wandy] ip firewall rule customer> protocol=tcp tcp-options=non-syn-only \

\... connection-state=established comment="Allow established TCP connections"

[admin@Wandy] ip firewall rule customer> add protocol=udp \

\... comment="Allow UDP connections"

[admin@Wandy] ip firewall rule customer> add protocol=icmp \

\... comment="Allow ICMP messages"

[admin@Wandy] ip firewall rule customer> add protocol=tcp tcp-options=syn-only \

\... dst-address=192.168.0.17/32:80 \

\... comment="Allow http connections to the server at 192.168.0.17"

[admin@Wandy] ip firewall rule customer> add protocol=tcp tcp-options=syn-only \

\... dst-address=192.168.0.17/32:25 \

\... comment="Allow SMTP connections to the server at 192.168.0.17"

[admin@Wandy] ip firewall rule customer> add protocol=tcp tcp-options=syn-only \

\... src-port=20 dst-port=1024-65535 \

\... comment="Allow ftp data connections from servers on the Internet"

[admin@Wandy] ip firewall rule customer> add action=reject log=yes \

\... comment="Reject and log everything else"

[admin@Wandy] ip firewall rule customer> print

Flags: X - disabled, I - invalid, D - dynamic

0 ;;; Allow established TCP connections

protocol=tcp tcp-options=non-syn-only connection-state=established

action=accept

1 ;;; Allow UDP connections

protocol=udp action=accept

2 ;;; Allow ICMP messages

protocol=icmp action=accept

3 ;;; Allow http connections to the server at 192.168.0.17

dst-address=192.168.0.17/32:80 protocol=tcp tcp-options=syn-only

action=accept

4 ;;; Allow SMTP connections to the server at 192.168.0.17

dst-address=192.168.0.17/32:25 protocol=tcp tcp-options=syn-only

action=accept

5 ;;; Allow ftp data connections from servers on the Internet