Справочник Пользователя для ASUS rx3041h
RX3041H User’s Manual
Chapter 9. Configuring Firewall/NAT Settings
51
9
Configuring Firewall/NAT Settings
The RX3041H provides built-in firewall/NAT functions, enabling you to protect the system against denial of
service (DoS) attacks and other types of malicious accesses to your LAN while providing Internet access
sharing at the same time. You can also specify how to monitor attempted attacks, and who should be
automatically notified.
service (DoS) attacks and other types of malicious accesses to your LAN while providing Internet access
sharing at the same time. You can also specify how to monitor attempted attacks, and who should be
automatically notified.
This chapter describes how to create/modify/delete ACL (Access Control List) rules to control the data passing
through your network. You will use firewall configuration pages to:
through your network. You will use firewall configuration pages to:
Create, modify, delete and view inbound/outbound ACL rules.
Create, modify and delete pre-defined services, IP pools, NAT pools, application filters and time
Create, modify and delete pre-defined services, IP pools, NAT pools, application filters and time
ranges to be used in inbound/outbound ACL configurations.
View firewall statistics.
Note: When you define an ACL rule, you instruct the RX3041H to examine each data packet it receives to
determine whether it meets criteria set forth in the rule. The criteria can include the network or internet protocol
it is carrying, the direction in which it is traveling (for example, from the LAN to the Internet or vice versa), the
IP address of the sending computer, the destination IP address, and other characteristics of the packet data.
determine whether it meets criteria set forth in the rule. The criteria can include the network or internet protocol
it is carrying, the direction in which it is traveling (for example, from the LAN to the Internet or vice versa), the
IP address of the sending computer, the destination IP address, and other characteristics of the packet data.
If the packet matches the criteria established in a rule, the packet can either be accepted (forwarded towards
its destination), or denied (discarded), depending on the action specified in the rule.
its destination), or denied (discarded), depending on the action specified in the rule.
9.1 Firewall
Overview
9.1.1 Stateful
Packet Inspection
The stateful packet inspection engine in the RX3041H maintains a state table that is used to keep track of
connection states of all the packets passing through the firewall. The firewall will open a “hole” to allow the
packet to pass through if the state of the packet that belongs to an already established connection matches the
state maintained by the stateful packet inspection engine. Otherwise, the packet will be dropped. This “hole”
will be closed when the connection session terminates. No configuration is required for stateful packet
inspection; it is enabled by default when the firewall is enabled. Please refer to section 11.1 Configure System
Services to enable or disable firewall service on the RX3041H.
connection states of all the packets passing through the firewall. The firewall will open a “hole” to allow the
packet to pass through if the state of the packet that belongs to an already established connection matches the
state maintained by the stateful packet inspection engine. Otherwise, the packet will be dropped. This “hole”
will be closed when the connection session terminates. No configuration is required for stateful packet
inspection; it is enabled by default when the firewall is enabled. Please refer to section 11.1 Configure System
Services to enable or disable firewall service on the RX3041H.
9.1.2 DoS
(Denial
of
Service) Protection
Both DoS protection and stateful packet inspection provide first line of defense for your network. No
configuration is required for both protections on your network as long as firewall is enabled for the RX3041H.
By default, the firewall is enabled at the factory. Please refer to section 11.1 Configure System Services to
enable or disable firewall service on the RX3041H.
configuration is required for both protections on your network as long as firewall is enabled for the RX3041H.
By default, the firewall is enabled at the factory. Please refer to section 11.1 Configure System Services to
enable or disable firewall service on the RX3041H.
9.1.3
Firewall and Access Control List (ACL)
9.1.3.1
Priority Order of ACL Rule
All ACL rules have a rule ID assigned – the smaller the rule ID, the higher the priority. Firewall monitors the
traffic by extracting header information from the packet and then either drops or forwards the packet by looking
for a match in the ACL rule table based on the header information. Note that the ACL rule checking starts from
the rule with the smallest rule ID until a match is found or all the ACL rules are examined. If no match is found,
the packet is dropped; otherwise, the packet is either dropped or forwarded based on the action defined in the
matched ACL rule.
traffic by extracting header information from the packet and then either drops or forwards the packet by looking
for a match in the ACL rule table based on the header information. Note that the ACL rule checking starts from
the rule with the smallest rule ID until a match is found or all the ACL rules are examined. If no match is found,
the packet is dropped; otherwise, the packet is either dropped or forwarded based on the action defined in the
matched ACL rule.