Home » D-Link Manuals » Networking » D-Link DFL-200 » Manual Viewer

D-Link DFL-200 Product Manual - Page 41

Protocol-independent settings, To use an Application Layer Gateway - problems

UPC - 790069268823

Add to My Manuals
Save this manual to your list of manuals

Page 41 highlights

Protocol-independent settings Allow ICMP errors from the destination to the source - ICMP error messages are sent in several situations: for example, when an IP packet cannot reach its destination. The purpose of these error control messages is to provide feedback about problems in the communication environment. However, ICMP error messages and firewalls are usually not a very good combination; the ICMP error messages are initiated at the destination host (or a device within the path to the destination) and sent to the originating host. The result is that the ICMP error message will be interpreted by the firewall as a new connection and dropped, if not explicitly allowed by the firewall rule-set. It is generally not a good idea to allow any inbound ICMP message to be able to have those error messages forwarded. To solve this problem, the DFL-200 can be instructed to pass an ICMP error message only if it is related to an existing connection. Check this option to enable this feature for connections using this service. ALG - Similar to the way most stateful inspection firewalls behave, the DFL-200 filters only information found in packet headers, such as IP, TCP, UDP, or ICMP headers. In some situations though, filtering only header data is not sufficient. The FTP protocol, for instance, includes IP address and port information in the protocol payload. In these cases, the firewall needs to be able to examine the payload data and carry out appropriate actions. The DFL-200 provides this functionality using Application Layer Gateways (ALG). To use an Application Layer Gateway, the appropriate Application Layer Gateway definition is selected in the dropdown menu. The selected Application Layer Gateway will thus manage network traffic that matches the policy using this service. Currently, the DFL-200 supports two Application Layer Gateways, one is used to manage the FTP protocol and the other one is a HTTP Content Filtering ALG. For detailed information about how to configure the HTTP Application Layer Gateway, please see the Content Filtering chapter.

Section	Page
Features and Benefits	6
Introduction to Firewalls	6
Introduction to Local Area Networking	7
LEDs	8
Physical Connections	8
Package Contents	9
System Requirements	9
Managing D-Link DFL-200	10
Resetting the DFL-200	10
Administration Settings	11
Administrative Access	11
Add ping access to an interface	12
Add Admin access to an interface	12
Add Read-only access to an interface	13
Enable SNMP access to an interface	13
System	14
Interfaces	14
Change IP of the LAN or DMZ interface	14
WAN Interface Settings – Using Static IP	15
WAN Interface Settings – Using DHCP	15
WAN Interface Settings – Using PPPoE	16
WAN Interface Settings – Using PPTP	17
WAN Interface Settings – Using L2TP	18
WAN Interface Settings – Using BigPond	19
MTU Configuration	19
Routing	20
Add a new Static Route	21
Remove a Static Route	21
Logging	22
Enable Logging	23
Enable Audit Logging	23
Enable E-mail alerting for IDS/IDP events	23
Time	24
Changing time zone	25
Using NTP to sync time	25
Setting time and date manually	25
Firewall	26
Policy	26
Policy modes	26
Action Types	26
Source and Destination Filter	26
Service Filter	27
Schedule	27
Intrusion Detection / Prevention	27
Add a new policy	28
Change order of policy	29
Delete policy	29
Configure Intrusion Detection	29
Configure Intrusion Prevention	29
Port mapping / Virtual Servers	30
Add a new mapping	30
	30
Delete mapping	31
Administrative users	32
Change Administrative User Password	32
	32
	32
Users	33
The DFL-200 RADIUS Support	33
Enable User Authentication via HTTP / HTTPS	34
Enable RADIUS Support	34
Add User	35
Change User Password	35
Delete User	36
	36
Schedules	37
Add new recurring schedule	37
Add new one-time schedule	38
Services	39
Adding TCP, UDP or TCP/UDP Service	39
Adding IP Protocol	40
Grouping Services	40
Protocol-independent settings	41
VPN	42
Introduction to IPSec	42
	42
Introduction to PPTP	42
	43
Introduction to L2TP	43
Point-to-Point Protocol	43
Authentication Protocols	44
MPPE, Microsoft Point-To-Point Encryption	44
	44
L2TP/PPTP Clients	45
L2TP/PPTP Servers	46
IPSec VPN between two networks	47
Creating a LAN-to-LAN IPSec VPN Tunnel	47
VPN between client and an internal network	48
	48
Creating a Roaming Users IPSec Tunnel	48
	48
Adding an L2TP/PPTP VPN Client	49
	49
Adding an L2TP/PPTP VPN Server	49
VPN – Advanced Settings	50
Limit MTU	50
IKE Mode	50
IKE DH Group	50
PFS – Perfect Forward Secrecy	50
NAT Traversal	50
Keepalives	50
Proposal Lists	51
IKE Proposal List	51
IPSec Proposal List	51
Certificates	52
Trusting Certificates	52
Local identities	52
Certificates of remote peers	52
Certificate Authorities	53
Identities	53
Content Filtering	54
Edit the URL Global Whitelist	54
Edit the URL Global Blacklist	55
Active content handling	55
Servers	56
DHCP Server Settings	56
Enable DHCP Server	57
Enable DHCP Relay	57
Disable DHCP Server/Relay	57
DNS Relay Settings	58
Enable DNS Relayer	58
Disable DNS Relayer	58
Tools	59
Ping	59
Ping Example	59
Dynamic DNS	60
Add Dynamic DNS Settings	60
Backup	61
Exporting the DFL-200’s Configuration	61
Restoring the DFL-200’s Configuration	61
Restart/Reset	62
Restoring system settings to factory defaults	63
Upgrade	64
Upgrade Firmware	64
Upgrade IDS Signature-database	64
Status	65
System	65
Interfaces	66
VPN	67
Connections	68
DHCP Server	69
How to read the logs	70
	70
USAGE events	70
	70
DROP events	70
CONN events	71
Step by Step Guides	72
LAN-to-LAN VPN using IPSec	73
Settings for Main office	75
LAN-to-LAN VPN using PPTP	77
Settings for Main office	79
LAN-to-LAN VPN using L2TP	83
Settings for Branch office	83
Settings for Main office	86
A more secure LAN-to-LAN VPN solution	90
Settings for Branch office	90
Settings for Main office	93
	93
Windows XP client and PPTP server	94
Settings for the Windows XP client	94
Settings for Main office	101
Windows XP client and L2TP server	104
Settings for the Windows XP client	104
Settings for Main office	106
Intrusion Detection and Prevention	108
Appendixes	111
Appendix A: ICMP Types and Codes	111
Appendix B: Common IP Protocol Numbers	113
Appendix C: Multiple Public IP addresses	114
Appendix D: HTTP Content Filtering	122
Warranty	129
Copyright Statement: No part of this publication or documentation accompanying this Product may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from D-Link Corporation/D-Link Systems, Inc., as stipulated by the United States Copyright Act of 1976. Contents are subject to change without prior notice. Copyright© 2005 by D-Link Corporation/D-Link Systems, Inc. All rights reserved.	131

Match case Limit results 1 per page

Protocol-independent settings

Allow ICMP errors from the destination to the source

– ICMP error messages are sent

in several situations: for example, when an IP packet cannot reach its destination. The

purpose of these error control messages is to provide feedback about problems in the

communication environment.

However, ICMP error messages and firewalls are usually not a very good combination; the

ICMP error messages are initiated at the destination host (or a device within the path to the

destination) and sent to the originating host. The result is that the ICMP error message will be

interpreted by the firewall as a new connection and dropped, if not explicitly allowed by the

firewall rule-set. It is generally not a good idea to allow any inbound ICMP message to be able

to have those error messages forwarded.

To solve this problem, the DFL-200 can be instructed to pass an ICMP error message only

if it is related to an existing connection. Check this option to enable this feature for

connections using this service.

ALG

– Similar to the way most stateful inspection firewalls behave, the DFL-200 filters

only information found in packet headers, such as IP, TCP, UDP, or ICMP headers.

In some situations though, filtering only header data is not sufficient. The FTP protocol, for

instance, includes IP address and port information in the protocol payload. In these cases, the

firewall needs to be able to examine the payload data and carry out appropriate actions. The

DFL-200 provides this functionality using Application Layer Gateways (ALG).

To use an Application Layer Gateway, the appropriate Application Layer Gateway

definition is selected in the dropdown menu. The selected Application Layer Gateway will thus

manage network traffic that matches the policy using this service.

Currently, the DFL-200 supports two Application Layer Gateways, one is used to manage

the FTP protocol and the other one is a HTTP Content Filtering ALG. For detailed information

about how to configure the HTTP Application Layer Gateway, please see the Content Filtering

chapter.