Asus Router RX3042H User Manual
Have a look at the manual Asus Router RX3042H User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 379 Asus manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
RX3042H User's Manual Configuring Firewall 69 FieldDescription SYN/ ICMP/ UDP Flooding Check or un-check this option to enable or disable the logging for SYN/ICMP/UDP flooding attacks. These attacks involve sending lots of TCP SYN/ICMP/UDP to a host in a very short period. RX3042H will not drop the flooding packets to avoid affecting the normal traffic. TCP XMAS/ NULL/ FIN Scan A hacker may be scanning your system by sending these specially formatted packets to see what services are available. Sometimes this is done in preparation for a future attack, or sometimes it is done to see if your system might have a service, which is susceptible to attack. XMAS scan: A TCP packet has been seen with a sequence number of zero and the FIN, URG, and PUSH bits are all set. NULL scan: A TCP packet has been seen with a sequence number of zero and all control bits are set to zero. FIN scan: A hacker is scanning the target system using a “stealth” method. The goal of the hacker is to find out if they can connect to the system without really connecting using the “FIN” scanning. It attempts to close a non-existent connection on the server. Either way, it is an error, but systems sometimes respond with different error results depending upon whether the desired service is available or not. Re-assemblyIn the teardrop attack, the attacker ʼs IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash. WinNUKECheck or un-check this option to enable or disable protection against Winnuke attacks. Some older versions of the Microsoft Windows OS are vulnerable to this attack. If the computers in the LAN are not updated with recent versions/patches, you are advised to enable this protection by checking this check box.
Configuring Firewall RX3042H User's Manual 70 9.3.2.2 Configuring DoS Settings To configure DoS settings, follow the instructions below:1. Open the Firewall General configuration page as shown in Figure 9.3 by clicking on Firewall ->Security menu. 2. Check or uncheck individual check box for each type DoS protection. 3. Click Apply to save the settings. Figure 9.3. Firewall General Configuration Page 9.4 ACL Rule Configuration Parameters 9.4.1 ACL Rule Configuration Parameters Table 9.3 describes the configuration parameters firewall inbound, outbound and self-access ACL rules.
RX3042H User's Manual Configuring Firewall 71 Table 9.3. ACL Rule Configuration Parameters FieldDescription Filter Direction – choose the available option from the drop-down list to configure the ACL. For dual-WAN configuration, two options are available – LAN ->WAN and WAN ->LAN. For WAN + DMZ configuration, six options are available – LAN ->WAN, WAN ->LAN, LAN ->DMZ, DMZ->LAN, WAN ->DMZ and DMZ ->WAN. ID Add New Click on this option to add a new ACL rule. Rule Number Select a rule from the drop-down list, to modify its settings. Move to This option allows you to set a priority for this rule. The RX3042H Firewall acts on packets based on the priority of the rules. Set a priority by specifying a number for its position in the list of rules: 1 (First)This number marks the highest priority. Other numbers Select other numbers to indicate the priority you wish to assign to the rule. Log Click on the “Enable” or “Disable” radio button to enable or disable logging for this ACL rule. Action AllowSelect this button to configure the rule as an allow rule. This rule when bound to the Firewall will allow matching packets to pass through. DenySelect this button to configure the rule as a deny rule. This rule when bound to the Firewall will not allow matching packets to pass through. Route to – keep the setting to “AUTO” unless packets are routed to specific interface. Available options include AUTO, eth1 (WAN1), eth2 (WAN2), PPP1 (WAN1- unnumbered), PPP1 (WAN2-unnumbered), PPP3 (WAN1-PPPoE1), PPP4 (WAN1-PPPoE2), PPP5 (WAN2-PPPoE1), PPP6 (WAN2-PPPoE2). If WAN interface is set to DMZ mode, only AUTO, eth1, PPP1/3/4 are available. These options are selectable from the drop-down list. If AUTO is selected, the router will route the packets based on the information in the routing table.
Configuring Firewall RX3042H User's Manual 72 FieldDescription NAT NoneSelect this option if you donʼt intend to use NAT in this ACL rule. IP AddressSelect this option to specify the IP address of the you want the outgoing traffic to use as the source IP address. Note this option is called. AutoRX3042H automatically uses the IP address of the interface that the traffic is to be forwarded as the source IP address. It is recommended that you select this option if NAT is to be used for out going traffic Source This option allows you to set the source network to which this rule should apply. Use the drop-down list to select one of the following options: AnyThis option allows you to apply this rule to all the computers in the source network, such as those on the Internet for the inbound traffic or all the computers in the local network for outbound traffic. IP AddressThis option allows you to specify an IP address on which this rule will be applied. IP AddressSpecify the appropriate network address SubnetThis option allows you to include all the computers that are connected in an IP subnet. When this option is selected, the following fields become available: FieldDescription AddressEnter the appropriate IP address. MaskEnter the corresponding subnet mask. MAC AddressThis option allows you to specify a MAC address on which this rule will be applied. MACEnter the desired MAC address. Destination This option allows you to set the destination network to which this rule should apply. Use the drop-down list to select one of the following options: AnyThis option allows you to apply this rule to all the computers in the local network for inbound traffic or any computer in the Internet for outbound traffic.
RX3042H User's Manual Configuring Firewall 73 IP Address, Subnet Select any of these options and enter details as described in the Source IP section above. Service Select a service, from the drop-down list, to which this rule should apply. If the desired service is not listed, click on the Edit button to create a new service. Time Select a time slot during which this rule should apply. EnableCheck this box if you want to activate the ACL rule at the time specified. Date and TimeChck the desired dates and time for this ACL rule. Table 9.4. Service Configuration Parameters FieldDescription Service Name Enter a distinctive name identifying the new service. Protocol Select a protocol type from the drop-down list. Available options are All, TCP, UDP, ICMP, IGMP, AH ESP and TCP/UDP. Port Range This option allows you to set the destination port to which this rule should apply. Use the drop-down list to select one of the following options: AnySelect this option if you want this rule to apply to all applications with an arbitrary source port number. SingleThis option allows you to apply this rule to an application with a specific source port number. Port NumberEnter the source port number RangeSelect this option if you want this rule to apply to applications with this port range. The following fields become available for entry when this option is selected. Start PortEnter the starting port number of the range End PortEnter the ending port number of the range
Configuring Firewall RX3042H User's Manual 74 FieldDescription This option allows you to select the ICMP message type for the service. The supported ICMP message types are: • Any (default) • 0: Echo reply • 1: Type 1 • 2: Type 2 • 3: Dst unreach: destination unreachable • 4: Src quench: source quench • 5: Redirect • 6: Type 6 • 7: Type 7 • 8: Echo req: • 9: Router advertisement • 10: Router solicitation • 11: Time exceed: time exceeded • 12: Parameter problem • 13: Timestamp request • 14: Timestamp reply • 15: Info request: information request • 16: Info reply: information reply • 17: Addr mask req: address mask request • 18: Addr mask reply: address mask reply 9.5 Configuring ACL Rules – (Firewall ->ACL) By creating ACL rules in the ACL configuration page as shown in Figure 9.4, you can perform access control (allow or deny) to both the trusted and un-trusted networks. Options in this configuration page allow you to:• Add a rule, and set parameters for it • Modify an existing rule • Delete an existing rule • View configured ACL rules
RX3042H User's Manual Configuring Firewall 75 Figure 9.4. ACL Configuration Page 9.5.1 Add an ACL Rule To add an ACL rule, follow the instructions below: 1. Open the ACL Rule configuration page, as shown in Figure 9.4, by clicking Firewall ->ACL menu. 2. Select an option from the “Filter Direction” drop-down list. For example, if you want to create an ACL to filter traffic originated from LAN and destined to WAN, then choose LAN ->WAN option. 3. Select Add New from the “ID” drop-down list. 4. Set desired action (Allow or Deny) from the Action drop-down list. 5. Select from the Route To drop-down list if you intend to direct the traffic to a specific interface. Choose AUTO if you want to have RX3042H route the traffic automatically. 6. Choose NAT type and enter the required information for the selected NAT type. 7. Make changes to any or all of the following fields: source/ destination IP, service, time and log. Please see Table 9.3 for
Configuring Firewall RX3042H User's Manual 76 Figure 9.5. ACL Configuration Example explanation of these fields. 8. Assign a priority for this rule by selecting a number from the Move to drop-down list. Note that the number indicates the priority of the rule with 1 being the highest. Higher priority rules will be examined prior to the lower priority rules by the firewall. 9. Click on the Add button to create the new ACL rule. The new ACL rule will then be displayed in the inbound access control list table at the bottom half of the Inbound ACL Configuration page. Figure 9.5 illustrates how to create a rule to deny outbound HTTP traffic originated from the host w/ IP address 192.168.1.129. Figure 9.6. Sample ACL List Table
RX3042H User's Manual Confi guring Firewall
77
9.5.2 Modify an ACL Rule
To modify an inbound ACL rule, follow the instructions below:
1. Open the Outbound ACL Rule Configuration Page by clicking Firewall/NAT ->ACL
menu.
2. Click on the
icon of the rule to be modifi ed in the inbound
ACL table or select the rule number from the
ID drop-down list.
3. Make desired changes to any or all of the following fi elds: action, source/destination IP, service, time and log. Please see Table 9.3
for explanation of these fi elds.
4. Click on the Modify button to modify this ACL rule. The new
settings for this ACL rule will then be displayed in the inbound
access control list table at the bottom half of the Inbound ACL
Confi guration page.
9.5.3 Delete an ACL Rule
To delete an inbound ACL rule, click on the in front of the rule to be deleted.
9.5.4 Display ACL Rules
To see existing ACL rules, just open the ACL Rule Configuration
page by clicking Firewall/NAT ->ACL menu and then select a traffi c
direction from the T raffi c Direction
drop-down list.
9.6 Confi guring Self-Access ACL Rules
–(Firewall/NAT ->Self-Access ACL)
Self-Access rules control access to/from the RX3042H itself. You
may use Self-Access Rule Configuration page, as illustrated in
Figure 9.7, to:
• Add a Self-Access rule
• Modify an existing Self-Access rule
• Delete an existing Self-Access rule
• View existing Self-Access rules
Configuring Firewall RX3042H User's Manual 78 9.6.1 Add a Self-Access Rule To add a Self-Access rule, follow the instructions below:1. Open the Self-Access Rule Configuration page by clicking Firewall/NAT ->Self-Access ACL menu. 2. Select “Add New” from the “ID” drop-down list. 3. Set desired action (Allow or Deny) from the “ Action” drop-down list. 4. Assign a priority for this rule by selecting a number from the “ Move to ” drop-down list. Note that the number indicates the priority of the rule with 1 being the highest. Higher priority rules will be examined prior to the lower priority rules by the firewall. 5. Make desired changes to any or all of the following fields: source/destination IP, service, time and log. Please see Table 9.3 for explanation of these fields. 6. Click on the " Add" button to create the new Self-Access rule. The new rule will then be displayed in the Existing Self- Access ACL list table at the bottom half of the Self-Access ACL configuration page. Figure 9.7. Self-Access ACL Configuration Page