Multi-Tech Systems RF660 User Manual
Chapter 6 – RouteFinder Software
Multi-Tech Systems, Inc. RouteFinderVPN RF760/660/600VPN User Guide (PN S000323D)
101
Packet Filters > Packet Filter Rules
Packet Filters
Packet Filters > Packet Filter Rules
The Packet Filter is a key element of the RouteFinder. Packet filters are used to set firewall rules which define what type of
data traffic is allowed across the RouteFinder's firewall. There are certain System Defined Rules that exist by default. You
can specify whether particular packets are to be forwarded through the RouteFinder system or filtered. These rules are set
with the help of network/host definitions and service definitions on the Networks & Services screen.
data traffic is allowed across the RouteFinder's firewall. There are certain System Defined Rules that exist by default. You
can specify whether particular packets are to be forwarded through the RouteFinder system or filtered. These rules are set
with the help of network/host definitions and service definitions on the Networks & Services screen.
Prerequisites
To be able to differentiate rules, the appropriate Networks & Services > Service Groups and Networks & Services >
Network Groups must first be defined.
Network Groups must first be defined.
The rule entered in the Setup 1
lan
ANY
ANY
ACCEPT Edit|Delete|Move
Wizard displays in this table
Show Packet Filter Rules in Popup Window
When you click the Show button, a screen displays showing the existing packet filter rules.
The RouteFinder’s behavior is determined by the content and order of the filter rules. The filter rules are
assigned by column number (column nr). Every incoming data packet is checked, in order, as to whether rule
1 is valid, rule 2 is valid, etc.) As soon as a correspondence is found, the procedure as determined by action is
carried out. You can Accept, Drop, Reject, Log the packets. When packets are denied (Rejected setting) an
entry in the appropriate log-file occurs.
All rules are entered according to the principle: From Client - Service - To Server - Action.
When setting packet filters, the two fundamental types of security policies are:
assigned by column number (column nr). Every incoming data packet is checked, in order, as to whether rule
1 is valid, rule 2 is valid, etc.) As soon as a correspondence is found, the procedure as determined by action is
carried out. You can Accept, Drop, Reject, Log the packets. When packets are denied (Rejected setting) an
entry in the appropriate log-file occurs.
All rules are entered according to the principle: From Client - Service - To Server - Action.
When setting packet filters, the two fundamental types of security policies are:
•
All packets are allowed through – Rules Setup has to be informed explicitly what is forbidden.
•
All packets are blocked – Rules Setup needs information about which packets to let through.
Your RouteFinder default is the all packets are blocked setting, as this procedure can achieve an inherently
higher security. This means that you explicitly define which packets may pass through the filter. All other
packets are blocked and are displayed in the Filter LiveLog.
higher security. This means that you explicitly define which packets may pass through the filter. All other
packets are blocked and are displayed in the Filter LiveLog.
Example:
Network A is contained in network B.
Rule 1 allows network A to use the SMTP service.
Rule 2 forbids network B to use SMPT.
Rule 2 forbids network B to use SMPT.
Result:
Only network A is allowed SMPT.
SMPT packets from all other network B IP addresses are not allowed to pass and are logged.
Caution:
Re-sorting the rules may change how the RouteFinder operates. Be very careful when defining the
rule set. It determines the security of your RouteFinder.
rule set. It determines the security of your RouteFinder.
If one rule applies, the subsequent ones are ignored. Therefore, the sequence is very important.
Never place a rule with the entries Any – Any – Any – Accept at the top of your rule set, as such a
setting will match all packets, and thus, cause all subsequent rules to be ignored.
Never place a rule with the entries Any – Any – Any – Accept at the top of your rule set, as such a
setting will match all packets, and thus, cause all subsequent rules to be ignored.