Home > 3Com > Router > 3Com Router User Manual

3Com Router User Manual

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual 3Com Router User Manual. The 3Com manuals for Router are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 551

    Page 551 39 CONFIGURING FIREWALL This chapter covers the following topics: ■Firewall Overview ■Configure Firewall ■Displaying and Debugging Firewall ■Firewall Configuration Example Firewall OverviewA firewall is used to control the network equipment, which accesses the internal network resources. Setting a firewall at the access entry point of the intranet can control access to the internal network resources by the external network devices. In case of multiple entry points, every access entry point should... 
    39
CONFIGURING FIREWALL 
This chapter covers the following topics:
■Firewall Overview
■Configure Firewall 
■Displaying and Debugging Firewall 
■Firewall Configuration Example 
Firewall OverviewA firewall is used to control the network equipment, which accesses the internal 
network resources. Setting a firewall at the access entry point of the intranet can 
control access to the internal network resources by the external network devices. 
In case of multiple entry points, every access entry point should...

    Page 552

    Page 552 548CHAPTER 39: CONFIGURING FIREWALL Classification of Firewalls Usually firewalls are divided into two types: network layer firewalls and application layer firewalls. A network layer firewall mainly obtains the packet head information of data packets, such as protocol number, source address and source port, destination address and destination port, or directly obtains the data of a packet head. But an application layer firewall analyzes the whole information stream. Commonly used firewalls include... 
    548CHAPTER 39: CONFIGURING FIREWALL 
Classification of Firewalls
Usually firewalls are divided into two types: network layer firewalls and application 
layer firewalls. A network layer firewall mainly obtains the packet head 
information of data packets, such as protocol number, source address and source 
port, destination address and destination port, or directly obtains the data of a 
packet head. But an application layer firewall analyzes the whole information 
stream.
Commonly used firewalls include...

    Page 553

    Page 553 Firewall Overview549 Figure 171 Packet filtering schematic diagram The following can be realized by data packet filtering: ■Prohibit logging on with telnet from outside ■Every E-mail is sent by SMTP (Simple Message Transfer Protocol). ■One PC, rather than all other PCs, can send news to us by NNTP (Network News Transfer Protocol). Packet filtering in 3Com routers security equipment features the following: ■Based on access-list (Access Control List - ACL): ACL is applied not only in packet filtering... 
    Firewall Overview549
Figure 171   Packet filtering schematic diagram
The following can be realized by data packet filtering:
■Prohibit logging on with telnet from outside
■Every E-mail is sent by SMTP (Simple Message Transfer Protocol).
■One PC, rather than all other PCs, can send news to us by NNTP (Network 
News Transfer Protocol).
Packet filtering in 3Com routers security equipment features the following:
■Based on access-list (Access Control List - ACL): ACL is applied not only in 
packet filtering...

    Page 554

    Page 554 550CHAPTER 39: CONFIGURING FIREWALL acl acl-number [ match-order config | auto ] rule { normal | special }{ permit | deny } [source source-addr source-wildcard | any ] ■Extended access control list acl acl-number [ match-order config | auto ] rule { normal | special }{ permit | deny } pro-number [source source-addr source-wildcard | any ] [source-port operator port1 [ port2 ] ] [ destination dest-addr dest- wildcard | any ] [destination-port operator port1 [ port2 ] ] [icmp-type icmp-type... 
    550CHAPTER 39: CONFIGURING FIREWALL 
acl acl-number [ match-order config | auto ]
rule { normal | special }{ permit | deny } [source source-addr 
source-wildcard | any ]
■Extended access control list
acl acl-number [ match-order config | auto ]
rule { normal | special }{ permit | deny }  pro-number [source  
source-addr source-wildcard | any ] [source-port operator port1 [ 
port2 ] ] [ destination dest-addr dest- wildcard | any ] 
[destination-port operator port1 [ port2 ] ]  [icmp-type icmp-type...

    Page 555

    Page 555 Firewall Overview551 Ta b l e 619 Mnemonic Symbol of the Port Number ProtocolMnemonic SymbolMeaning and Actual Value TCPbgp chargen cmd daytime discard domain echo exec finger ftp ftp-data gopher hostname irc chat klogin kshell login lpd nntp pop2 pop3 smtp sunrpc syslog tacacs talk telnet time uucp whois www Border Gateway Protocol (179) Character generator (19) Remote commands (rcmd, 514) Daytime (13) Discard (9) Domain Name Service (53) Echo (7) Exec (rsh, 512) Finger (79) File Transfer Protocol... 
    Firewall Overview551
Ta b l e 619   Mnemonic Symbol of the Port Number
ProtocolMnemonic SymbolMeaning and Actual Value
TCPbgp
chargen
cmd
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
hostname    irc
chat
klogin
kshell
login
lpd
nntp
pop2
pop3
smtp
sunrpc
syslog
tacacs
talk
telnet
time
uucp
whois
www
Border Gateway Protocol (179)
Character generator (19)
Remote commands (rcmd, 514)
Daytime (13)
Discard (9)
Domain Name Service (53)
Echo (7)
Exec (rsh, 512)
Finger (79)
File Transfer Protocol...

    Page 556

    Page 556 552CHAPTER 39: CONFIGURING FIREWALL As for the ICMP, you can specify the ICMP packet type. You can use a number (ranging 0 to 255) or a mnemonic symbol to specify the packet type. UDPbiff bootpc bootps discard dns dnsix echo mobilip-ag mobilip-mn nameserver netbios-dgm netbios-ns netbios-ssn ntp rip snmp snmptrap sunrpc syslog tacacs-ds talk tftp time who Xdmcp Mail notify (512) Bootstrap Protocol Client (68) Bootstrap Protocol Server (67) Discard (9) Domain Name Service (53) DNSIX Securit Attribute... 
    552CHAPTER 39: CONFIGURING FIREWALL 
As for the ICMP, you can specify the ICMP packet type. You can use a number 
(ranging 0 to 255) or a mnemonic symbol to specify the packet type.
UDPbiff
bootpc
bootps
discard
dns
dnsix
echo
mobilip-ag
mobilip-mn
nameserver
netbios-dgm
netbios-ns
netbios-ssn
ntp
rip
snmp
snmptrap
sunrpc
syslog
tacacs-ds
talk
tftp
time
who
Xdmcp
Mail notify (512)
Bootstrap Protocol Client (68)
Bootstrap Protocol Server (67)
Discard (9)
Domain Name Service (53)
DNSIX Securit Attribute...

    Page 557

    Page 557 Firewall Overview553 Ta b l e 620 Mnemonic Symbol of the ICMP Message Type By configuring the firewall and adding appropriate access rules, you can use packet filtering to check IP packets that pass the router. The passing of unexpected packets can thus be prohibited. In this way the packet filtering helps to protect the network security. Configure the match sequence of access control list An access control rule can be composed of several “permit” and “deny” statements and the range of the data... 
    Firewall Overview553
Ta b l e 620   Mnemonic Symbol of the ICMP Message Type
By configuring the firewall and adding appropriate access rules, you can use 
packet filtering to check IP packets that pass the router. The passing of unexpected 
packets can thus be prohibited. In this way the packet filtering helps to protect the 
network security.
Configure the match sequence of access control list
An access control rule can be composed of several “permit” and “deny” 
statements and the range of the data...

    Page 558

    Page 558 554CHAPTER 39: CONFIGURING FIREWALL The “depth-first” principle means matching the access rules with the smallest definition range of data packets. It can be achieved by comparing the wildcards of address. The smaller the wildcards are, the smaller the range specified by the host is. For example, 129.102.1.1.0.0.0.0 specifies a host (the address is 129.102.1.1), while 129.102.1.1.0.0.255.255 specifies a network segment (the range of the address is from 129.102.1.1 to 129.102.255.255), obviously the... 
    554CHAPTER 39: CONFIGURING FIREWALL 
The “depth-first” principle means matching the access rules with the smallest 
definition range of data packets. It can be achieved by comparing the wildcards of 
address. The smaller the wildcards are, the smaller the range specified by the host 
is. For example, 129.102.1.1.0.0.0.0 specifies a host (the address is 129.102.1.1), 
while 129.102.1.1.0.0.255.255 specifies a network segment (the range of the 
address is from 129.102.1.1 to 129.102.255.255), obviously the...

    Page 559

    Page 559 Configure Firewall 555 Configuring Standard Access Control ListThe value of the standard access control list is an integer from 1 to 99. First of all, enter the ACL view through acl command, and configure the match sequence of the access control list, and then configure specific access rules through rule command. If the matching sequence is not configured, it will be conducted by auto mode. Perform the following configurations in system view and ACL view. Ta b l e 622 Configure Standard Access... 
    Configure Firewall 555
Configuring Standard 
Access Control ListThe value of the standard access control list is an integer from 1 to 99. First of all, 
enter the ACL view through 
acl command, and configure the match sequence of 
the access control list, and then configure specific access rules through 
rule 
command. If the matching sequence is not configured, it will be conducted by 
auto mode.
Perform the following configurations in system view and ACL view.
Ta b l e 622   Configure Standard Access...

    Page 560

    Page 560 556CHAPTER 39: CONFIGURING FIREWALL normal means that this rule functions during normal time range, while special means that this rule will function during the special time range. Users shall set the special time range when using special. Multiple rules with the same serial number will be matched according to “depth-first”principle. By default, normal is adopted. Setting the Default Firewall Filtering ModeThe default firewall-filtering mode means that when there is no suitable access rule to... 
    556CHAPTER 39: CONFIGURING FIREWALL 
normal means that this rule functions during normal time range, while special 
means that this rule will function during the special time range. Users shall set the 
special time range when using 
special. Multiple rules with the same serial 
number will be matched according to “depth-first”principle. 
By default, normal is adopted.
Setting the Default 
Firewall Filtering ModeThe default firewall-filtering mode means that when there is no suitable access 
rule to...
    Start reading 3Com Router User Manual

    Related Manuals for 3Com Router User Manual

    All 3Com manuals