Equipment Support > Hardware By Brand > Westell > Westell 2200 Firewall Rule Explanation Needed

reply to KachiWachi

Re: Westell 2200 Firewall Rule Explanation Needed

Besides those three, there is also a "None" setting with no rules present (basically pass everything), and a "Custom" setting for which you can write whatever you want and save.

Right now I use "Low", since I haven't been able to get things to work at the "Medium" setting, which is Westell's default, but not VOL's (theirs is "None"). I have no ports forwarded, as it doesn't seem to matter for what I am doing at present...though if I do forward them, the grc.com test does show them as "closed" and not "stealth".

What I don't understand is how to open ports from the "inside" to allow certain programs to work. I'm guessing that I would have to write a "custom" firewall profile for that...correct??

Here are some things from their FAQ -

What services are allowed for each security level in the Firewall?

High - This security level only allows basic Internet functionality. Only Mail, News, Web, FTP, and IPSEC are allowed. No other traffic is allowed. Another restriction of high security is that it can't be modified by NAT configuration options. With High security, you are guaranteed to only pass the previously mentioned traffic.

Medium - This security level only allows basic Internet functionality by default. Like High security, Medium security allows customization through NAT configuration, so you can enable the traffic that you want to pass.

Low - The Low security setting will allow all traffic except for known attacks. With Low security, your Router is visible by other computers on the Internet.

Custom - Custom is a very advanced configuration option that allows you to edit the firewall configuration directly. Only the most expert users should attempt this.

Does changing the security level of the Firewall change the level of security of what the outside world or Internet can see?

No, the security level only affects the outbound traffic from within your own LAN. The Service Configuration (port forwarding) is what affects inbound traffic from outside your LAN (the Internet).

What is port forwarding?

It forwards a service through the router to a computer on the LAN. This allow users outside your LAN to access specific computers on your internal network. Typically ports need to be opened for games or special applications such as VPN.

Can the ports be configured on this router?

Yes. The individual ports can be configured for specific services. (i.e. Telnet, FTP, gaming).

What is the Service Configuration menu needed for?

The Service Configuration menu is used to open ports (port forwarding). This will allow inbound unsolicited services (from the Internet) such as Telnet, Webserver, NetMeeting and other programs that require ports to be opened, through the router.

How is a Service or Port added for my specific program?

* Select your NAT profile. If you don't need different NAT profiles setup then choose the Default profile for your account.
* From the Service drop-down menu, select your desired service that want to enable to work through your router.
* Click Enable and OK. This will add the specified service to your list of available that will work through your router.
* Repeat this process until all services or ports are entered that you wish to use.

What if the service I want to add isn't in the list of available services?

* Click the Advanced Configuration link under the Services drop-down menu and choose Custom Service.
* Choose "Port Forwarding Ranges of Ports" and click Next.
* Type the name of the service you want to add; i.e., NetMeeting, PcAnywhere, etc.
* Enter the IP address for the PC that you wish to use the specific service on that is located on your LAN or network.
* Enter the range of ports that you wish to use.
* Select TCP or UDP for the protocol. Your program manufacturer will determine this.
* Click the Next button and the new custom service will show up in your service list.

Here is the Help file that the 2200 provides (please excuse the formatting) -

Packet Filtering Firewall User Manual
 
File/Buffer Format
The RDL file or buffer format is divided into two sections. The
first portion of the file defines any number of keys and associated
values. The second portion contains the filtering rule
definitions.
Key Definition Section
A key definition consists of the key followed by the associated
value. A value is actually a character string. The string is
delimited by the open and close square brackets. An example of a
keyword definition would look like the following.

title [ High security RDL file ]

Filter Condition [, Condition2, ] [
>> Action, Action2, ]

pass   Specifies that the matching
packet is to be passed onto the associated interface or the SENS
MUX.
drop   Specifies that the matching
packet will not be forwarded to the associated interface or the
SENS MUX.

all   Specifies all packets. If the all
condition is specified in a rule, all other conditions are
ignored.
match layer offset
{bit-string[:mask]}   Specifies one or
more explicit bit strings and offsets into the layer header to
compare. This keyword is followed by three parameters. The first
numeric parameter is the header layer, valid values include 2
though 4 (Ethernet = 2, ip = 3, tcp/udp/icmp/igmp = 4). The second
numeric parameter is the offset into the packet to begin the
comparison. T and the third third parameter, is the representation
of the bit string and comparision bit maskitself. The bit stringIt
is delimited with the open and close curly braces ({}). A colon
delimits the bit string and mask. If no mask is provided, a mask
value of all ones is assumed. Each byte of the bit string and mask
is represented by a two character hexadecimal number and is
separated by white space from the previous byte
representation.
from | to [addr ip-addr/:mask] | [port port_n
|port >= port_n | port >= port_n]
   Specifies particular fields (IP address or
TCP/UDP port number) of the IP header. The from keyword
designates the source fields, and the to keyword designates
the destination fields. One or more "A" descriptors of the
fields and their its contents then follows the keyword. A list of
descriptors is to be separated by colon(s). These field
descriptors include addr (IP address), mask (network mask), and
port (TCP or UDP port number).

addr   Specifies the source or
destination IP address field and comparison mask. This keyword
is followed by a IP address in dotted-decimal notation and mask
separated by a forward slash. The mask is a number from 1 to 32
and it signifies how many bits of the IP address are compared.
If no mask is provided, a mask value of 32 is assumed.
port   Specifies the source or
destination UDP/TCP port number. This keyword is followed by the
16 bit port number represented hexadecimal or decimal format.
Using the >= or >= operators allows for matching on ranges
of ports.

protocol tcp | udp | icmp | igmp |
value   Specifies the value of the
protocol field found in the IP header. It is followed by a
parameter that specifies the protocol value. There are built in
keywords for the TCP, UDP, ICMP, and IGMP protocols. If a
different protocol value is required, it may be represented by a
decimal or hexadecimal value between 0 and 255.

tcp   Specifies the TCP protocol.
udp   Specifies the UDP protocol.
icmp   Specifies the ICMP protocol.
igmp   Specifies the IGMP
protocol.

flags urg | ::ack | :: psh | ::rst | ::syn | ::fin
   Specifies some combination of the flag bits
found in the TCP header. The parameters following the keyword
should be represented in a colon delimited list.
igmp-type query |
report   Specifies the IGMP packet type
found in the IGMP header. The report type checks for both
version 1 and version 2 type codes. No check is made by the parser
to verify that the IGMP protocol is specified. So it is up to the
user to include the protocol igmp condition in a rule using
the igmp-type condition.
icmp-type request |
reply   Specifies the ICMP packet type
found in the ICMP header. No check is made by the parser to verify
that the ICMP protocol is specified. So it is up to the user to
include the protocol icmp condition in a rule using the
icmp-type condition.

log  level   Specifies
that the contents of any matching packet header should be recorded
in the log table. The level parameter is a mechanism to
indicate the source of the log entry. This value rule name is
stored with each log entry resulting from this rule. The log may
subsequently be searched or sorted by this valuee rule name. Log
entries appear in the table with a default severity of 0. The
level value is represented by a decimal or hexadecimal
value between 0 and 255.
alert  severity [Alert
text]   Specifies that the contents of any
matching packet header should be recorded oin the log table with
the corresponding severity value and text explanation. Severity is
a decimal number between 0 and 4. The alert text is delimited by
bracketsBrackets delimit the alert text.
done   Specifies that the filtering
engine should stop checking any subsequent rules should this rule
match. This action provides a mechanism to optimize the decision
tree implemented by the filtering engine.
state   Specifies that the TCP/ICMP/IGMP
session (particularly the sequence number in the case of TCP and
the packet type and source/destination addresses and ports in the
case of ICMP and IGMP) associated with this packet will be added
to the state table maintained by the filtering engine. As long as
that session remains in the state table all packets associated
with that session are passed without comparing them to the rules
decision tree. The filtering enginestate table logic maintains the
state of the session with successive packets and closes or times
it out (removes it from the state table) whenever
appropriate.