Справочник Пользователя для ASUS rx3041h
RX3041H User’s Manual
Chapter 2 Getting to Know the RX3041H
5
Keyword based URL Filtering
2.4.1.1
Address Sharing and Management
The RX3041H Firewall provides NAT to share a single high-speed Internet connection and to save the cost of
multiple connections required for the hosts on the LAN segments connected to the RX3041H. This feature
conceals network address and prevents them from becoming public. It maps unregistered IP addresses of
hosts connected to the LAN with valid ones for Internet access. The RX3041H Firewall also provides reverse
NAT capability, which enables SOHO users to host various services such as e-mail servers, web servers, etc.
The NAT rules drive the translation mechanism at the NAT router. The following types of NAT are supported
by the RX3041H.
multiple connections required for the hosts on the LAN segments connected to the RX3041H. This feature
conceals network address and prevents them from becoming public. It maps unregistered IP addresses of
hosts connected to the LAN with valid ones for Internet access. The RX3041H Firewall also provides reverse
NAT capability, which enables SOHO users to host various services such as e-mail servers, web servers, etc.
The NAT rules drive the translation mechanism at the NAT router. The following types of NAT are supported
by the RX3041H.
Static NAT – Maps an internal host address to a globally valid Internet address (one-to-one). All
packets are directly translated with the information contained in the map.
Dynamic NAT – Maps an internal host address dynamically to a globally valid Internet address (m-to-
n). The map usually contains a pool of internal IP addresses (m) and a pool of globally valid Internet IP
addresses (n) with m usually greater than n. Each internal IP address is mapped to one external IP
address on a first come first serve basis.
addresses (n) with m usually greater than n. Each internal IP address is mapped to one external IP
address on a first come first serve basis.
NAPT (Network Address and Port Translation) – Also called IP Masquerading. Maps many internal
hosts to only one globally valid Internet address. The map usually contains a pool of network ports to
be used for translation. Every packet is translated with the globally valid Internet address; the port
number is translated with a free pool from the pool of network ports.
be used for translation. Every packet is translated with the globally valid Internet address; the port
number is translated with a free pool from the pool of network ports.
Reverse Static – This is inbound mapping that maps a globally valid Internet address to an internal
host address. All packets coming to that external address are relayed to the internal address. This is
useful when hosting services in an internal machine.
useful when hosting services in an internal machine.
Reverse NAPT – Also called inbound mapping, port mapping, and virtual server. Any packet coming
to the router can be relayed to the internal host based on the protocol, port number or IP Address
specified in the rule. This is useful when multiple services are hosted on different internal machines.
specified in the rule. This is useful when multiple services are hosted on different internal machines.
Note
For a complete listing of all NAT ALGs supported, refer to
Appendix A “ALG Configuration” on.
Appendix A “ALG Configuration” on.
2.4.1.2
ACL (Access Control List)
ACL rule is one of the basic building blocks for network security. Firewall monitors each individual packet,
decodes the header information of inbound and outbound traffic and then either blocks the packet from
passing or allows it to pass based on the contents of the source address, destination address, source port,
destination port, protocol and other criterion, e.g. application filter, time ranges, defined in the ACL rules.
decodes the header information of inbound and outbound traffic and then either blocks the packet from
passing or allows it to pass based on the contents of the source address, destination address, source port,
destination port, protocol and other criterion, e.g. application filter, time ranges, defined in the ACL rules.
ACL is a very appropriate measure for providing isolation of one subnet from another. It can be used as the
first line of defense in the network to block inbound packets of specific types from ever reaching the protected
network.
first line of defense in the network to block inbound packets of specific types from ever reaching the protected
network.
The RX3041H Firewall’s ACL methodology supports:
Filtering based on destination and source IP address, port number and protocol
Use of the wild card for composing filter rules
Filter Rule priorities
Time based filters
Application specific filters
User group based filters for remote access
Use of the wild card for composing filter rules
Filter Rule priorities
Time based filters
Application specific filters
User group based filters for remote access
2.4.1.3 Stateful
Packet
Inspection
The RX3041H Firewall uses “stateful packet inspection” that extracts state-related information required for the
security decision from the packet and maintains this information for evaluating subsequent connection
attempts. It has awareness of application and creates dynamic sessions that allow dynamic connections so
security decision from the packet and maintains this information for evaluating subsequent connection
attempts. It has awareness of application and creates dynamic sessions that allow dynamic connections so