A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

Zyxel 650H DSL modem packet filter setting



 
 
Thread Tools Display Modes
  #1  
Old August 1st 03, 12:37 PM posted to uk.telecom.broadband
artw
external usenet poster
 
Posts: 2
Default Zyxel 650H DSL modem packet filter setting

I would like to set up Zyxel 650H DSL modem as a firewall. I want it
to prevent all PCs in the LAN, except for the Proxy server, to access
the Internet. That is, everyone must go through the Proxy server for
http access.

I started at Filter Set Configuration menu (Menu 21). Then I created
a new Filter Set #. Then I try to create a new rule with these
parameters:
Active=Y
Protocol=6
Source address=10.15.51.11 (The proxy server's IP address)
IP Mask=255.255.255.0
Port=80 (Should it be 0 ???)
Port # Comp=None
Source address=0.0.0.0
IP Mask=255.255.255.255 (Should it be 0.0.0.0 ???)
Port= (Should it be 80 ???)
Port # Comp=None

Some of the settings that we want to try are not accepted. It said --
invalid source address or something like that.

Then we go to LAN setup (Menu 3), then sub menu 1 (LAN port filter
setup), then under OUTPUT filter set (at the protocol filter), we
assign the above filter set to it. This blocks EVERY PC including the
proxy from using http on the Internet.

Does anyone know how to set these things? (Our ISP, DSL prover, and
Zyxel rep don't know how to do it!!!)

Any help will be highly appreciated.
Thanks.
-Art
  #2  
Old August 3rd 03, 04:57 PM posted to uk.telecom.broadband
Max
external usenet poster
 
Posts: 1
Default Zyxel 650H DSL modem packet filter setting

On 1 Aug 2003 04:37:38 -0700, artw wrote:
I would like to set up Zyxel 650H DSL modem as a firewall. I want it
to prevent all PCs in the LAN, except for the Proxy server, to access
the Internet. That is, everyone must go through the Proxy server for
http access.

I started at Filter Set Configuration menu (Menu 21). Then I created
a new Filter Set #. Then I try to create a new rule with these
parameters:
Active=Y
Protocol=6
Source address=10.15.51.11 (The proxy server's IP address)
IP Mask=255.255.255.0
Port=80 (Should it be 0 ???)
Port # Comp=None
Source address=0.0.0.0
IP Mask=255.255.255.255 (Should it be 0.0.0.0 ???)
Port= (Should it be 80 ???)
Port # Comp=None

Some of the settings that we want to try are not accepted. It said --
invalid source address or something like that.

Then we go to LAN setup (Menu 3), then sub menu 1 (LAN port filter
setup), then under OUTPUT filter set (at the protocol filter), we
assign the above filter set to it. This blocks EVERY PC including the
proxy from using http on the Internet.

Does anyone know how to set these things? (Our ISP, DSL prover, and
Zyxel rep don't know how to do it!!!)




First make a rule to allow the proxy to access the net.

Filter #: X,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #=
Port # Comp= None
Source: IP Addr= 10.15.51.11
IP Mask= 255.255.255.255
Port #=
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Forward
Action Not Matched= Check Next Rule


Then deny anyone else on the LAN accessing the web.

Filter #: X,2
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 80
Port # Comp= Equal
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #=
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Drop
Action Not Matched= Forward

This will deny anyone from accessing the web but if the rule X,1 is
true then x,2 will never get tested so the proxy can pass through OK.

Note its important for the last filter set of the group of filter rules u
use to contain Action Not Matched= Forward, other wise any packets getting
this far will be dropped.

  #3  
Old August 4th 03, 08:59 AM posted to uk.telecom.broadband
artw
external usenet poster
 
Posts: 2
Default Zyxel 650H DSL modem packet filter setting

Many thanks for your help. It works well. I can follow the logic of
your two steps and see how it works.

But I don't understand why can't we do it with one rule like this:

Filter #: X,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 80
Port # Comp= Equal
Source: IP Addr= 10.15.51.11
IP Mask= 255.255.255.255
Port #=
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Forward
Action Not Matched= Drop

Assuming we want to drop everything except port 80 of #11.
When I do this, the #11's browser cannot access the Internet. Is it
because the browser is using other ports in addition to port 80 ???
What's wrong???

Regards,
-Art

Max wrote in message .. .
First make a rule to allow the proxy to access the net.

Filter #: X,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #=
Port # Comp= None
Source: IP Addr= 10.15.51.11
IP Mask= 255.255.255.255
Port #=
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Forward
Action Not Matched= Check Next Rule


Then deny anyone else on the LAN accessing the web.

Filter #: X,2
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 80
Port # Comp= Equal
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #=
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Drop
Action Not Matched= Forward

This will deny anyone from accessing the web but if the rule X,1 is
true then x,2 will never get tested so the proxy can pass through OK.

Note its important for the last filter set of the group of filter rules u
use to contain Action Not Matched= Forward, other wise any packets getting
this far will be dropped.

  #4  
Old August 4th 03, 09:26 AM posted to uk.telecom.broadband
Alex Butcher
external usenet poster
 
Posts: 5
Default Zyxel 650H DSL modem packet filter setting

On Mon, 04 Aug 2003 00:59:46 -0700, artw wrote:

Many thanks for your help. It works well. I can follow the logic of your
two steps and see how it works.

But I don't understand why can't we do it with one rule like this:

Filter #: X,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No Destination:
IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 80
Port # Comp= Equal
Source: IP Addr= 10.15.51.11
IP Mask= 255.255.255.255
Port #=
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Forward
Action Not Matched= Drop

Assuming we want to drop everything except port 80 of #11. When I do
this, the #11's browser cannot access the Internet. Is it because the
browser is using other ports in addition to port 80 ??? What's wrong???


That should work also, for plain HTTP connections at least. You'll
probably also want to add additional (similar) rules to handle ports 443
(HTTPS) and perhaps 8000 and 8080 (which are commonly used as alternative
ports - but also for publicly-accessible proxies!)

To be honest, if you want to set outbound policies, I don't really think
that ZyXEL's filter is up to the job. It's hard to create a *maintainable*
inbound/outbound policy using only 4 x 6 = 24 rules (maybe the 650 is less
limited than the models I've seen). It's probably worth your while looking
at some of the "professional" firewall products out there - start with
Astaro Security Linux http://www.astaro.com and work your way up (if you
feel the need).

Best Regards,
Alex.
--
Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950 http://www.assursys.com/

 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ADSL Filter/Splitters: Sidetone Laurence Taylor uk.telecom.broadband (UK broadband) 2 July 16th 03 08:06 PM
ADSL Filter/Splitters: Sidetone Dom Robinson uk.telecom.broadband (UK broadband) 5 July 16th 03 12:08 AM
Setting IP and DNS Draxen uk.telecom.broadband (UK broadband) 0 July 8th 03 12:11 AM
Setting IP and DNS eusty uk.telecom.broadband (UK broadband) 0 July 7th 03 08:19 PM


All times are GMT +1. The time now is 10:48 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2020 BroadbanterBanter.
The comments are property of their posters.