Intel Saw 9515 User Manual

DMZ Firewall Solution  
Intel Express Routers 9515, 9525 and 9535  
 
DMZ Firewall Solution for the Express Router  
Table of Contents  
1
2
Introduction............................................................................................................................3  
1.1 About This Document..........................................................................................................3  
1.2 References............................................................................................................................3  
1.3 What is a DMZ.....................................................................................................................3  
1.4 IP Filters in the Express Router............................................................................................4  
General Setup and Considerations .......................................................................................4  
2.1 IP Address Selection ............................................................................................................4  
2.2 Routing Setup.......................................................................................................................5  
2.3 DNS Setup............................................................................................................................5  
2.4 E-mail (SMTP) Setup...........................................................................................................5  
2.5 FTP Setup.............................................................................................................................5  
2.6 HTTP Setup..........................................................................................................................5  
2.7 News (NNTP) Setup ............................................................................................................5  
2.8 Management Access Setup...................................................................................................5  
DMZ Single IP Address Solution..........................................................................................6  
3.1 Static Routing Setup.............................................................................................................6  
3.2 Network Address Translation (NAT) Setup.........................................................................6  
3.3 IP Filters Setup.....................................................................................................................7  
3.3.1 LAN1 Filters ................................................................................................................7  
3.3.1.1 Receive (Rx) Filters on LAN1 .............................................................................7  
3.3.1.2 Transmit (Tx) Filters on LAN1............................................................................8  
3.3.2 LAN2 Filters ..............................................................................................................10  
3.3.2.1 Receive (Rx) Filters on LAN2 ...........................................................................10  
3.3.2.2 Transmit (Tx) filters on LAN2...........................................................................12  
3.3.3 Internet Connection Filters.........................................................................................13  
3.3.3.1 Receive (Rx) Filters on the connection to the Internet.......................................13  
3.3.3.2 Transmit (Tx) Filters on the Connection to the Internet.....................................16  
DMZ Multiple IP Address Solution....................................................................................17  
4.1 IP Address Assignment......................................................................................................17  
4.2 Static Routing Setup...........................................................................................................17  
4.3 Network Address Translation (NAT).................................................................................18  
4.4 IP Filters Setup...................................................................................................................18  
4.4.1 LAN1 Filters ..............................................................................................................18  
4.4.1.1 Receive (Rx) Filters on LAN1 ...........................................................................18  
4.4.1.2 Transmit (Tx) Filters on LAN1..........................................................................19  
4.4.2 LAN2 Filters ..............................................................................................................21  
4.4.2.1 Receive (Rx) Filters on LAN2 ...........................................................................21  
4.4.2.2 Transmit (Tx) filters on LAN2...........................................................................24  
4.4.3 Internet Connection Filters.........................................................................................24  
4.4.3.1 Receive (Rx) Filters on the Connection to the Internet......................................24  
4.4.3.2 Transmit (Tx) Filters on the Connection to the Internet.....................................27  
3
4
07-12-99  
Version 1.0  
2
 
DMZ Firewall Solution for the Express Router  
1 Introduction  
1.1 About This Document  
This document explains how to configure a secure Internet solution using the second LAN  
interface of the Intel Express router as a DMZ. The DMZ setup is explained through the use of  
two example solutions, a Single IP Address Solution and Multiple IP Address.  
It assumed that you have a solid understanding of networking concepts and experience in using  
the Express Router.  
1.2 References  
[1] Intel Express Router User Guide  
The user guide for your router explains in detail the basic configuration procedures used in  
the set up of the DMZ.  
[2] Brent Chapman, Elizabeth D. Zwicky, “ Building Internet Firewalls”, 1995 O’Reilly &  
Associates. ISBN: 1-56592-124-0  
1.3 What is a DMZ  
For an Intel Express Router having two LAN ports, you can setup a DMZ (DeMilitarized Zone)  
to increase security on your private network. A DMZ is a network off one of the LAN ports that  
acts as a kind of buffer between the external (public Internet) network and your secure network  
on the other LAN interface. The DMZ gives access to services required from both the external  
network and the secure network. The services are typically HTTP/FTP (Web) servers for public  
access, an HTTP/FTP proxy server, an SMTP server and a News (proxy) server. Mail servers and  
News servers for internal use are placed on the secure network. Through the use of IP filters, you  
prohibit access from the Internet to your secure network while still providing access to services  
on the DMZ.  
192.168.151.0  
Demilitarized Zone  
Http/FTP  
Http/FTP  
News  
(Web)  
proxy  
proxy  
server  
server  
server  
192.168.152.0  
Main LAN  
SMTP  
server  
Internet users are allowed  
to access your Web  
and FTP servers  
10/100  
File  
server  
Mail  
server  
LAN2 port  
10/100  
LAN1 port  
PC  
PC  
Intel Express  
router  
Internet  
IP filters on the router  
block unwanted traffic  
destined to the main LAN  
07-12-99  
Version 1.0  
3
 
DMZ Firewall Solution for the Express Router  
The purpose of this setup is to prohibit any direct data transmission between the Internet and the  
secure network. All data must go through proxy servers on the DMZ.  
We recommend that you set up the DMZ on the LAN2 (10 Mbps) port and your secure network  
on the LAN1 (100/10 Mbps) port.  
This document provides two DMZ solutions when connecting to the Internet, one using a single  
external IP address and the other using a number of IP addresses (at least four IP addresses are  
needed, including network identification and broadcast address).  
Note: Solutions using dynamic address assignment by the ISP are not supported.  
1.4 IP Filters in the Express Router  
IP filters in the Express Router are defined on a link basis. Separate filters are configured for  
received data (data packets from a link to the router) and transmitted data (data packets from the  
router to a link). Use the diagram below to help determine the direction of data with respect to the  
router and the types of filter required (Rx or Tx).  
LAN2  
Rx  
Tx  
Tx  
Rx  
Rx  
Intel Express  
Router  
Tx  
LAN1  
Internet  
Tx - transmitted data  
Rx - received data  
2 General Setup and Considerations  
2.1 IP Address Selection  
The IP addresses on the secure network and the DMZ network can be any valid IP addresses, but  
we recommend that you use designated private IP addresses or registered IP addresses. Private IP  
addresses are those addresses included under Class A network 10, Class B networks 172.16  
through 172.31, and Class C networks 192.168.0 through 192.168.255. Registered public IP  
addresses are provided by your Internet service provider (ISP). Using registered IP addresses on  
the DMZ network avoids conflicts with duplicate addresses on the Internet. On the secure  
network it is preferable to use designated private IP addresses. However, if you already have  
unregistered public IP addresses on your private network (for example 89.20.0.0 and 90.2.0.0),  
you must use Network Address Translation (NAT) to translate these addresses to private IP  
addresses.  
For the single IP address solution, NAT is needed to map the network services from one public IP  
address to one or more private IP addresses on the DMZ network. This makes it possible to have  
several public servers on DMZ using the same public IP address.  
07-12-99  
Version 1.0  
4
 
DMZ Firewall Solution for the Express Router  
2.2 Routing Setup  
Do not use RIP on the WAN interface or the DMZ interface. This prevents intruders from  
corrupting the routing table.  
If there is more than one internal network, the router must not be used as primary gateway  
because the router configuration only allows the router to forward packets to the DMZ network.  
2.3 DNS Setup  
Some of the services on the DMZ network require external DNS queries. The most common mail  
solution is to have a domain with an "MX" record and an "A" record pointing to the SMTP server  
on the DMZ network. The DNS server is normally maintained and hosted by the ISP. The  
solutions provided in this document do not support a DNS server on the DMZ network.  
For more details about DNS please refer to [2].  
2.4 E-mail (SMTP) Setup  
Locate an SMTP server on the DMZ network to communicate with any host on the Internet and  
an internal E-mail server on the secure network. Configure the SMTP server to use an MX record  
in order to send the mail direct to the destination SMTP server.  
2.5 FTP Setup  
An HTTP/FTP proxy server on the DMZ network must use passive FTP for connections to the  
Internet. Otherwise the filters will block the FTP data channel running on port 20. Because the  
HTTP/FTP is an application proxy, support for DNS is required to resolve fully qualified domain  
names into IP addresses.  
2.6 HTTP Setup  
An HTTP/FTP proxy normally runs on port 80 or 8080. However, the filter settings for the  
following setups are based on port 80. Because the HTTP/FTP is an application proxy, support  
for DNS is required to resolve fully qualified domain names into IP addresses.  
2.7 News (NNTP) Setup  
If you are using a News (NNTP) server on your secure network, it is required that you locate a  
News (proxy) server on the DMZ. With this setup, the News server on the secure network  
communicates with the News (proxy) server on the DMZ which, in turn, communicates with an  
external News server on the Internet. The advantage of this setup is that all private news groups  
are placed on the internal server, protected from the Internet.  
2.8 Management Access Setup  
To ensure security, you must disable management access (SNMP, Telnet, and TFTP)  
on the WAN (Internet) link and the LAN2 (DMZ) link. For additional security, disable  
management access on the LAN1 link also. With this setup, all management tasks can  
only be performed from the console port.  
07-12-99  
Version 1.0  
5
 
DMZ Firewall Solution for the Express Router  
3 DMZ Single IP Address Solution  
This solution explains how to set up a DMZ solution when the Internet service provider (ISP) has  
assigned a single IP address to your network.  
HTTP/FTP  
(Web)  
server  
News  
(proxy)  
server  
HTTP/FTP  
proxy  
server  
SMTP  
server  
10.2.0.1  
10.2.0.4  
10.2.0.2 10.2.0.3  
DMZ  
10.2.0.0  
Mail  
server  
10.5.0.1  
DNS  
server  
194.25.6.4  
LAN2 port  
10.2.0.10  
News  
server  
10.5.0.2  
LAN1 port  
10.5.0.10  
News  
(NNTP)  
server  
Intel Express  
Router  
Internet  
196.24.5.8  
Users  
Secure LAN  
10.5.0.0  
In the example, the DMZ network connects to the LAN2 port and is on the 10.2.0.0/16 subnet.  
The LAN2 port has been assigned an IP address of 10.2.0.10. The secure private network  
connects to the LAN1 port and is on the 10.5.0.0/16 subnet. The LAN1 port has been assigned an  
IP address of 10.5.0.10.  
Note: The services available on the DMZ can be placed on a single server. If this is done, you  
must configure NAT entries and filters accordingly.  
3.1 Static Routing Setup  
Configure static routing as follows:  
Configure static routing on the Internet connection, LAN1, and LAN2. This is done in  
Advanced Setup by setting the Routing Protocol parameter to None/Static.  
Define a static route on the WAN interface to the Internet. Use the default static route setting  
(network address of 0.0.0.0 and netmask 0.0.0.0) as shown in the example below.  
3.2 Network Address Translation (NAT) Setup  
The devices on the DMZ have been assigned private IP addresses. You must set up NAT to  
translate the private IP addresses on the DMZ to the external IP address assigned by the ISP. This  
will map services (i.e. port numbers) on the external IP address to servers on the DMZ.  
07-12-99  
Version 1.0  
6
 
DMZ Firewall Solution for the Express Router  
Note The order of the NAT entries is important.  
NAT entries are defined as follows:  
Entry Function  
Settings  
1
Directs all incoming HTTP  
requests to the Web server.  
Mapping type:  
Internal address:  
Internal port:  
Static Port (Single IP)  
10.2.0.1  
80  
External IP address:  
External port:  
Mapping type:  
Internal address:  
Internal port:  
<IP address from ISP>  
80  
2
Directs all incoming FTP  
requests to the Web server.  
Static Port (Single IP)  
10.2.0.1  
21  
External IP address:  
External port:  
Mapping type:  
Internal address:  
Internal port:  
<IP address from ISP>  
21  
3
4
Directs all incoming SMTP  
requests to the SMTP server  
Static Port (Single IP)  
10.2.0.3  
25  
<IP address from ISP>  
25  
External address:  
External port  
Directs all incoming NNTP  
requests to the News server.  
Type:  
Static Port (Single IP)  
10.2.0.4  
119  
<IP address from ISP>  
119  
Internal address:  
Internal port:  
External IP address:  
External port:  
Type:  
5
Directs all other incoming  
traffic to the DMZ.  
Network to single IP  
10.2.0.0  
<IP address from ISP>  
Internal address:  
External IP address:  
3.3 IP Filters Setup  
This section describes the required IP filters for the LAN1, LAN2 and connection to the Internet.  
3.3.1 LAN1 Filters  
3.3.1.1 Receive (Rx) Filters on LAN1  
Configure these receive filters for the LAN1 port, shown as they appear in Advanced Setup.  
07-12-99  
Version 1.0  
7
 
DMZ Firewall Solution for the Express Router  
Filters are defined as follows:  
Filter Function  
Settings  
Prohibit users on the secure network  
access to the Internet  
Default Action:  
Discard  
1
Allows access to the HTTP /FTP  
proxy server on the DMZ.  
Action:  
Protocol:  
Pass  
All  
Dest. address type:  
Dest. address:  
Src. address type:  
Host  
10.2.0.2  
All  
2
3
4
Allows access to the SMTP server on Action:  
Pass  
All  
Host  
10.2.0.3  
All  
Pass  
All  
Host  
10.2.0.4  
All  
Pass  
All  
the DMZ.  
Protocol:  
Dest. address type:  
Dest. address:  
Src. address type:  
Allows access to News (proxy) server Action:  
on the DMZ.  
Protocol:  
Dest. address type:  
Dest. address:  
Src. address type:  
Action:  
Allows access to the router from the  
private LAN.  
Protocol:  
Dest. port address:  
Dest. address:  
Scr. address type:  
Host  
<LAN1 IP address>  
All  
3.3.1.2 Transmit (Tx) Filters on LAN1  
Configure these transmit filters for the LAN1 port, shown as they appear in Advanced Setup.  
Filters are defined as follows:  
Filter Function  
Settings  
Prohibit users on the secure network  
access to the Internet  
Allows HTTP and FTP (read only using Action:  
Default Action:  
Discard  
1
Pass  
TCP  
ACK  
All  
>1023  
Host  
HTTP) from secure LAN to HTTP/FTP  
proxy server on the DMZ.  
Protocol:  
TCP flags:  
Dest. address type:  
Dest. port:  
Src. address type:  
07-12-99  
Version 1.0  
8
 
DMZ Firewall Solution for the Express Router  
Filter Function  
Settings  
Src. address:  
Src. port:  
10.2.0.2  
= 80  
2
3
4
Allows FTP (only passive connections)  
from secure LAN to the FTP proxy  
server on the DMZ (see note 1).  
Action:  
Protocol:  
TCP flags:  
Dest. address type:  
Dest. port:  
Src. address type:  
Src. address:  
Src. port:  
Action:  
Protocol:  
TCP flags:  
Dest. address type:  
Dest. port:  
Src. address type:  
Src. address:  
Src. port:  
Pass  
TCP  
ACK  
All  
>1023  
Host  
10.2.0.2  
= 21  
Pass  
TCP  
ACK  
All  
>1023  
Host  
10.2.0.2  
>1023  
Pass  
Two filters are required.  
Action:  
Protocol:  
Allows incoming mail (SMTP) from  
DMZ to secure LAN.  
TCP  
TCP flags:  
All  
Dest. address type:  
Dest. address:  
Dest. port:  
Host  
10.5.0.1  
= 25  
Src. address type:  
Src. address:  
Src. port:  
Host  
10.2.0.3  
> 1023  
Pass  
Action:  
5
Allows outgoing mail (SMTP) from  
secure LAN to DMZ.  
Protocol:  
TCP  
TCP flags:  
ACK  
Host  
10.5.0.1  
> 1023  
Host  
Dest. address type:  
Dest. address:  
Dest. port:  
Src. address type:  
Src. address:  
Src. port:  
10.2.0.3  
= 25  
Action:  
Protocol:  
Pass  
TCP  
6
Allows incoming News (NNTP) from  
DMZ to secure LAN (see note 2).  
TCP flags:  
All  
Dest. address type:  
Dest. address:  
Dest. port:  
Src. address type:  
Src. address:  
Src. port:  
Host  
10.5.0.2  
= 119  
Host  
10.2.0.4  
> 1023  
Pass  
Action:  
7
Allows outgoing News (NTTP) to DMZ  
from secure LAN.  
Protocol:  
TCP  
TCP flags:  
Dest. address type:  
ACK  
Host  
07-12-99  
Version 1.0  
9
 
DMZ Firewall Solution for the Express Router  
Filter Function  
Settings  
Dest. address:  
Dest. port:  
10.5.0.2  
> 1023  
Src. address type:  
Src. address:  
Src. port:  
Host  
10.2.0.4  
= 119  
Action:  
Protocol:  
Pass  
TCP  
8
Sends all packets generated by the router  
to the secure LAN (LAN1).  
TCP flags:  
All  
Dest. address type:  
Dest. port:  
All  
All  
Src. address type:  
Src. address:  
Src. port:  
Host  
<LAN1 IP address>  
All  
Note 1: Some proxy servers, such as Microsoft Proxy* 2.0, do not support FTP proxy using the  
FTP protocol. For upload and download using a special FTP program like WS_FTP*, an  
additional FTP proxy on DMZ is required. This proxy server normally runs on port 21 and has to  
support passive FTP. If download from an Internet browser is sufficient, the two filters are not  
required.  
Note 2: The filter is not required when using a News proxy server on DMZ.  
3.3.2 LAN2 Filters  
3.3.2.1 Receive (Rx) Filters on LAN2  
Configure these receive filters for the LAN2 port, shown as they appear in Advanced Setup.  
×
07-12-99  
Version 1.0  
10  
 
DMZ Firewall Solution for the Express Router  
Filters are defined as follows:  
Filter Function  
Settings  
1
Pass all packets destined for DMZ  
Prevents RIP updates from entering the Action:  
DMZ network  
Default Action:  
Pass  
Discard  
UDP  
All  
Protocol:  
Dest. address type:  
Dest. port:  
RIP  
Src. address type:  
Src. port:  
All  
All  
2
3
4
5
6
7
Prevents tunnel packets from entering  
the DMZ network  
Action:  
Protocol:  
Dest. address type:  
Dest. port:  
Src. address type:  
Src. port:  
Action:  
Protocol:  
Dest. address type:  
Dest. port :  
Src. address type:  
Src. port :  
Action:  
Protocol:  
Dest. address type:  
Dest. port :  
Src. address type:  
Src. port :  
Action:  
Protocol:  
Dest. address type:  
Dest. port :  
Src. address type:  
Src. port :  
Action:  
Protocol:  
Dest. address type:  
Dest. port:  
Src. address type:  
Src. port:  
Action:  
Protocol:  
Dest. address type:  
Dest. port:  
Scr. address type:  
Src. port :  
Discard  
TCP  
All  
Tunnel  
All  
All  
Prevents RSVP packets from entering  
the DMZ network/router.  
Discard  
RSVP  
All  
All  
All  
Three separate filters are required.  
All  
Discard  
UDP  
All  
= 1698  
All  
All  
Discard  
UDP  
All  
= 1699  
All  
All  
Prevents BootP updates from entering  
the DMZ network/router.  
Discard  
UDP  
All  
67  
All  
All  
Prevents Syslog updates from entering  
the DMZ network/router  
Discard  
UDP  
All  
= 514  
All  
All  
Discards all packets that spoof (or fake)  
the IP address of the router on LAN1.  
This is necessary since these packets  
will pass the Tx filter on LAN1.  
8
Action:  
Protocol:  
Dest. address type:  
Dest. port:  
Discard  
UDP  
All  
All  
07-12-99  
Version 1.0  
11  
 
DMZ Firewall Solution for the Express Router  
Filter Function  
Settings  
Scr. address type:  
Src. address:  
Src. port :  
Host  
<LAN1 IP address>  
All  
Discards all ICMP packets entering the  
DMZ network. This prevents the router  
from reporting the IP netmask.  
9
Action:  
Protocol:  
Dest. address type:  
Scr. address type:  
Action:  
Discard  
ICMP  
All  
All  
Discard  
UDP  
Discards all packets to open router  
ports.  
10  
Protocol:  
Dest. address type:  
Dest. address:  
Dest. port:  
Host  
Four filters are required.  
<LAN1 IP address>  
All  
Src. address type:  
Src. port:  
All  
All  
11  
12  
Action:  
Protocol:  
Discard  
UDP  
Host  
<LAN2 IP address>  
All  
All  
All  
Dest. address type:  
Dest. address:  
Dest. port:  
Src. address type:  
Src. port:  
Action:  
Discard  
Protocol:  
TCP  
Flags:  
All  
Dest. address type:  
Dest. address:  
Dest. port:  
Host  
<LAN1 IP address>  
All  
Src. address type:  
Src. port:  
All  
All  
13  
Action:  
Discard  
Protocol:  
TCP  
flags:  
All  
Dest. address type:  
Dest. address:  
Dest. port:  
Src. address type:  
Src. port:  
Host  
<LAN2 IP address>  
All  
All  
All  
3.3.2.2 Transmit (Tx) filters on LAN2  
To pass all packets transmitted from the DMZ, set the default action to Pass.  
07-12-99  
Version 1.0  
12  
 
DMZ Firewall Solution for the Express Router  
3.3.3 Internet Connection Filters  
3.3.3.1 Receive (Rx) Filters on the connection to the Internet  
Configure these receive filters for the Internet connection, shown as they appear in Advanced  
Setup.  
×
Filters are defined as follows:  
Filter Function  
Settings  
Prohibit users on the secure network  
Default Action:  
Discard  
from accessing the Internet.  
1
Allows HTTP from the Internet to the  
HTTP/FTP server on the DMZ.  
Action:  
Protocol:  
TCP flags:  
Pass  
TCP  
All  
Dest. address type:  
Dest. address:  
Dest. port:  
Src. address type:  
Src. port:  
Host  
10.2.0.1  
= 80  
All  
> 1023  
07-12-99  
Version 1.0  
13  
 
DMZ Firewall Solution for the Express Router  
Filter Function  
Settings  
2
3
4
Allows FTP (both active and passive)  
from the Internet to the HTTP/FTP  
server on the DMZ.  
Action:  
Protocol:  
TCP flags:  
Dest. address type:  
Dest. address:  
Dest. port:  
Src. address type:  
Src. port:  
Action:  
Protocol:  
TCP flags:  
Dest. address type:  
Dest. address:  
Dest. port:  
Src. address type:  
Src. port:  
Pass  
TCP  
All  
Host  
10.2.0.1  
= 21  
All  
> 1023  
Pass  
TCP  
ACK  
Host  
10.2.0.1  
= 20  
All  
> 1023  
Pass  
Three filters are required.  
Action:  
Protocol:  
TCP  
TCP flags:  
All  
Dest. address type:  
Dest. address:  
Dest. port:  
Src. address type:  
Src. port:  
Host  
10.2.0.1  
>1023  
All  
>1023  
5
6
Allows external ping to HTTP/FTP  
server on the DMZ.  
Action:  
Protocol:  
Dest. address type:  
Dest. address:  
Src. address type:  
Pass  
ICMP  
Host  
10.2.0.1  
All  
Allows external HTTP from HTTP/FTP Action:  
Pass  
proxy on the DMZ.  
Protocol:  
TCP  
TCP flags:  
ACK  
Host  
10.2.0.2  
> 1023  
All  
Dest. address type:  
Dest. address:  
Dest. port  
Src. address type:  
Src. port:  
= 80  
7
Allows external FTP from the  
HTTP/FTP proxy server on the DMZ  
(see note 1).  
Action:  
Protocol:  
TCP flags:  
Dest. address type:  
Dest. address:  
Dest. port  
Src. address type:  
Src. port:  
Pass  
TCP  
ACK  
Host  
10.2.0.2  
> 1023  
All  
Two filters are required.  
= 21  
8
Action:  
Pass  
Protocol:  
TCP  
TCP flags:  
Dest. address type:  
ACK  
Host  
07-12-99  
Version 1.0  
14  
 
DMZ Firewall Solution for the Express Router  
Filter Function  
Settings  
Dest. address:  
Dest. port  
Src. address type:  
Src. port:  
10.2.0.2  
> 1023  
All  
> 1023  
Pass  
9
Allows DNS reply to the HTTP/FTP  
proxy server on the DMZ.  
Action:  
Protocol:  
TCP  
TCP flags:  
ACK  
Two filters are required.  
Dest. address type:  
Dest. address:  
Dest. port  
Src. address type:  
Src. address:  
Src. port:  
Host  
10.2.0.2  
> 1023  
Host  
194.25.6.4  
= 53  
10  
11  
Action:  
Protocol:  
Pass  
UDP  
Host  
10.2.0.2  
> 1023  
Host  
194.25.6.4  
= 53  
Dest. address type:  
Dest. address:  
Dest. port  
Src. address type:  
Src. address:  
Src. port:  
Allows DNS reply to the SMTP server  
on the DMZ.  
Action:  
Protocol:  
Pass  
TCP  
TCP flags:  
ACK  
Two filters are required.  
Dest. address type:  
Dest. address:  
Dest. port  
Src. address type:  
Src. address:  
Src. port:  
Host  
10.2.0.3  
> 1023  
Host  
194.25.6.4  
= 53  
12  
13  
Action:  
Protocol:  
Pass  
UDP  
Host  
10.2.0.3  
> 1023  
Host  
194.25.6.4  
= 53  
Dest. address type:  
Dest. address:  
Dest. port  
Src. address type:  
Src. address:  
Src. port:  
Allows incoming mail (SMTP) from  
any host on the Internet to the DMZ.  
Action:  
Protocol:  
Pass  
TCP  
TCP flags:  
All  
Dest. address type:  
Dest. address:  
Dest. port  
Host  
10.2.0.3  
= 25  
Src. address type:  
Src. port:  
Action:  
All  
> 1023  
Pass  
14  
Allows outgoing mail (SMTP) to any  
host on the Internet from the DMZ.  
Protocol:  
TCP  
TCP flags:  
ACK  
07-12-99  
Version 1.0  
15  
 
DMZ Firewall Solution for the Express Router  
Filter Function  
Settings  
Dest. address type:  
Dest. address:  
Dest. port  
Src. address type:  
Src. port:  
Host  
10.2.0.3  
> 1023  
All  
= 25  
15  
Allows incoming News (NNTP) from a Action:  
Pass  
specified external News server to the  
DMZ (see note 2).  
Protocol:  
TCP flags:  
TCP  
All  
Dest. address type:  
Dest. address:  
Dest. port:  
Src. address type:  
Src. address:  
Src. port:  
Host  
10.2.0.4  
= 119  
Host  
196.24.5.8  
> 1023  
Pass  
Action:  
16  
Allows outgoing News (NNTP) to a  
specified external News server from the  
DMZ.  
Protocol:  
TCP flags:  
TCP  
ACK  
Dest. address type:  
Dest. address:  
Dest. port:  
Src. address type:  
Src. address:  
Src. port:  
Host  
10.2.0.4  
> 1023  
Host  
196.24.5.8  
119  
Note 1: Only passive FTP connections are supported. The HTTP/FTP proxy must be configured  
to use a passive FTP connection.  
Note 2: The filter is not required when using a News proxy server on DMZ.  
3.3.3.2 Transmit (Tx) Filters on the Connection to the Internet  
Set the default action to Pass.  
07-12-99  
Version 1.0  
16  
 
DMZ Firewall Solution for the Express Router  
4 DMZ Multiple IP Address Solution  
This solution explains how to set up a DMZ when the ISP supplies you with multiple IP  
addresses. In the example, the ISP has assigned the site a range of IP addresses: 193.84.251.0 to  
193.84.251.7 (subnet mask 255.255.255.248).  
HTTP/FTP  
HTTP/FTP  
server  
proxy  
server  
SMTP  
server  
News  
server  
193.84.251.1 193.84.251.2 193.84.251.3 193.84.251.4  
DMZ  
193.84.251.0  
Mail  
server  
89.20.0.1  
DNS  
server  
194.25.6.4  
LAN2 port  
193.84.251.5  
News  
server  
89.20.0.2  
LAN1 port  
89.20.0.10  
News  
(NNTP)  
server  
Intel Express  
Router  
Layer 3 switch  
Internet  
196.24.5.8  
10/100  
Users  
Secure LAN  
89.20.0.0  
Secure LAN  
90.20.0.0  
Note: The services available on the DMZ can be placed on a single server. If this is done, you  
must configure NAT accordingly.  
The solution does not configure NAT on the WAN interface (connection to the Internet). This  
eliminates problems with protocols that are not supported by the router’s NAT implementation.  
4.1 IP Address Assignment  
The servers on the DMZ network have been assigned official public IP addresses. NAT is not  
required for these addresses. The secure private LAN consists of two networks, 89.20.0.0 and  
90.2.0.0, which are official public IP addresses. You must use NAT to translate these addresses to  
private IP addresses.  
Note: The first and last IP address in the range provided by the ISP must not be used for devices.  
The WAN connection to the Internet must be configured as unnumbered.  
4.2 Static Routing Setup  
Configure static routing as follows:  
Configure static routing on the Internet connection, LAN1, and LAN2. This is done in  
Advanced Setup by setting the Routing Protocol parameter to None/Static.  
Define a static route on the WAN interface to the Internet. Use the default static route setting  
(network address of 0.0.0.0 and network address of 0.0.0.0) as shown in the example below.  
07-12-99  
Version 1.0  
17  
 
DMZ Firewall Solution for the Express Router  
4.3 Network Address Translation (NAT)  
Because the secure private networks on LAN1 use public IP addresses (89.20.0.0 and 90.20.0.0),  
configure NAT to translate these addresses to private IP addresses. For example, NAT will  
translate the E-mail server address from 89.20.0.1 to 10.1.0.1, the NNTP server address from  
89.20.0.2 to 10.1.0.2, and the LAN1 address from 89.20.0.10 to 10.1.0.10.  
Note: When adding filter entries, the internal addresses must be used.  
NAT entries are defined as follows:  
Entry Function  
Settings  
1
2
Translate the internal IP  
Mapping type:  
Internal address:  
Internal mask:  
External IP address:  
External mask:  
Mapping type:  
Internal address:  
Internal mask:  
External IP address:  
External mask:  
Static  
10.1.0.0  
addresses on the network  
89.20.0.0 to private IP  
address on 10.1.0.0  
255.255.0.0  
89.20.0.0  
255.255.0.0  
Static  
10.2.0. 0  
255.255.0.0  
90.20.0.0  
255.255.0.0  
Translate the internal IP  
addresses on the network  
90.20.0.0 to private IP  
address on 10.2.0.0  
4.4 IP Filters Setup  
This section describes the required IP filters for the LAN1, LAN2 and connection to the Internet.  
4.4.1 LAN1 Filters  
4.4.1.1 Receive (Rx) Filters on LAN1  
Configure these receive filters for the LAN1 port, shown as they appear in Advanced Setup.  
07-12-99  
Version 1.0  
18  
 
DMZ Firewall Solution for the Express Router  
Filters are defined as follows:  
Filter Function  
Settings  
Prohibit internal users access to the  
Internet  
Default Action:  
Default  
1
Allows access to the HTTP /FTP proxy Action:  
Pass  
server on the DMZ.  
Protocol:  
All  
Dest. address type:  
Dest. address:  
Src. address type:  
Action:  
Host  
193.84.251.2  
All  
Pass  
All  
Host  
193.84.251.3  
all  
Pass  
All  
Host  
193.84.251.4  
All  
Pass  
All  
2
3
4
Allows access to the SMTP server on  
the DMZ.  
Protocol:  
Dest. address type:  
Dest. address:  
Src. address type:  
Action:  
Allows access to News (proxy) server  
on the DMZ.  
Protocol:  
Dest. address type:  
Dest. address:  
Src. address type:  
Action:  
Allows access to the router from the  
private LAN.  
Protocol:  
Dest. port address:  
Dest. address:  
Scr. address type:  
Host  
<LAN1 IP address>  
All  
4.4.1.2 Transmit (Tx) Filters on LAN1  
Configure these transmit filters for the LAN1 port, shown as they appear in Advanced Setup.  
Filters are defined as follows:  
Filter Function  
Settings  
Prohibit users on the private network  
from accessing the Internet  
Default Action:  
Discard  
1
Allows HTTP and FTP (read only using Action:  
HTTP) from secure LAN to HTTP/FTP Protocol:  
Pass  
TCP  
proxy server on the DMZ.  
TCP flags:  
ACK  
Dest. address type:  
Dest port:  
Src. address type:  
Src. address:  
All  
>1023  
Host  
193.84.251.2  
07-12-99  
Version 1.0  
19  
 
DMZ Firewall Solution for the Express Router  
Filter Function  
Settings  
Src. port:  
= 80  
2
3
4
Allows FTP (only passive connections) Action:  
Pass  
TCP  
ACK  
All  
>1023  
Host  
193.84.251.2  
= 21  
Pass  
TCP  
from secure LAN to the FTP proxy  
server on the DMZ (see note 1).  
Protocol:  
TCP flags:  
Dest. address type:  
Dest port:  
Two filters are required.  
Src. address type:  
Src. address:  
Src. port:  
Action:  
Protocol:  
TCP flags:  
Dest. address type:  
Dest. port:  
Src. address type:  
Src. address:  
Src. port:  
ACK  
All  
> 1023  
Host  
193.84.251.2  
> 1023  
Pass  
Action:  
Protocol:  
Allows incoming mail (SMTP) from  
DMZ to the secure LAN.  
TCP  
TCP flags:  
All  
Dest. address type:  
Dest. address:  
Dest. port:  
Host  
10.1.0.1  
25  
Src. address type:  
Src. address:  
Src. port:  
Host  
193.84.251.3  
> 1023  
Pass  
Action:  
5
6
7
Allows outgoing mail (SMTP) from  
secure LAN to the DMZ.  
Protocol:  
TCP flags:  
TCP  
ACK  
Host  
10.1.0.1  
> 1023  
Host  
193.84.251.3  
25  
Pass  
TCP  
All  
Host  
10.1.0.2  
119  
Host  
193.84.251.4  
> 1023  
Pass  
Dest. address type:  
Dest. address:  
Dest. port:  
Src. address type:  
Src. address:  
Src. port:  
Action:  
Protocol:  
TCP flags:  
Dest. address type:  
Dest. address:  
Dest. port:  
Src. address type:  
Src. address:  
Src. port:  
Allows incoming News (NNTP) from  
the DMZ to the secure LAN (see note  
2).  
Action:  
Protocol:  
Allows outgoing News (NNTP) to  
DMZ from secure LAN.  
TCP  
TCP flags:  
ACK  
Dest. address type:  
Dest. address:  
Host  
10.1.0.2  
07-12-99  
Version 1.0  
20  
 
DMZ Firewall Solution for the Express Router  
Filter Function  
Settings  
Dest. port:  
> 1023  
Src. address type:  
Src. address:  
Src. port:  
Host  
193.84.251.4  
119  
Action:  
Protocol:  
Pass  
TCP  
8
Sends all packets generated by the  
router to the internal LAN (LAN1).  
TCP flags:  
All  
Dest. address type:  
Dest. port:  
All  
All  
Src. address type:  
Src. address:  
Src. port:  
Host  
<LAN1 IP address>  
All  
Note 1: Some proxy servers, such as Microsoft Proxy* 2.0, do not support FTP proxy using the  
FTP protocol. For uploading and downloading using a special FTP program, such as WS_FTP*,  
an additional FTP proxy on DMZ is required. This proxy server normally runs on port 21, and it  
has to support passive FTP. If downloading from an Internet browser is sufficient, the two filters  
are not required.  
Note 2: The filter is not required when using a News proxy server on DMZ.  
4.4.2 LAN2 Filters  
4.4.2.1 Receive (Rx) Filters on LAN2  
Configure these receive filters for the LAN2 port, shown as they appear in Advanced Setup.  
×
Filters are defined as follows:  
Filter Function  
Settings  
1
Pass all packets destined for DMZ  
Prevents RIP updates from entering the Action:  
DMZ network  
Default Action:  
Pass  
Discard  
UDP  
All  
Protocol:  
Dest. address type:  
Dest port:  
RIP  
07-12-99  
Version 1.0  
21  
 
DMZ Firewall Solution for the Express Router  
Filter Function  
Settings  
Src. address type:  
Src. port:  
All  
All  
2
3
4
5
6
7
Prevents tunnel packets from entering  
the DMZ network  
Action:  
Protocol:  
Dest. address type:  
Dest port:  
Src. address type:  
Src. port:  
Action:  
Protocol:  
Dest. address type:  
Dest. port :  
Src. address type:  
Src. port :  
Action:  
Protocol:  
Dest. address type:  
Dest. port :  
Src. address type:  
Src. port :  
Action:  
Protocol:  
Dest. address type:  
Dest. port :  
Src. address type:  
Src. port :  
Action:  
Protocol:  
Dest. address type:  
Dest. port:  
Src. address type:  
Src. port:  
Action:  
Protocol:  
Dest. address type:  
Dest. port:  
Discard  
TCP  
All  
Tunnel  
All  
All  
Prevents RSVP packets from entering  
the DMZ network/router. Three  
separate filters are required.  
Discard  
RSVP  
All  
All  
All  
All  
Discard  
UDP  
All  
1698  
All  
All  
Discard  
UDP  
All  
1699  
All  
All  
Prevents BootP updates from entering  
the DMZ network/router.  
Discard  
UDP  
All  
67  
All  
All  
Prevents Syslog updates from entering  
the DMZ network/router  
Discard  
UDP  
All  
514  
Scr. address type:  
Src. port :  
All  
All  
Discards all packets that fake the IP  
address of the router on LAN1 as these  
packets are allowed to pass the Tx filter  
on LAN1  
8
Action:  
Protocol:  
Dest. address type:  
Dest. port:  
Discard  
UDP  
All  
All  
Scr. address type:  
Src. address:  
Src. port :  
Host  
<LAN1 IP address>  
All  
07-12-99  
Version 1.0  
22  
 
DMZ Firewall Solution for the Express Router  
Filter Function  
Settings  
Discards all ICMP packets entering the  
DMZ network. This prevents the router  
from reporting the IP netmask. These  
filters must include all IP addresses on  
the router, including the WAN IP  
address if the router is using numbered  
links.  
9
Action:  
Protocol:  
Dest. address type:  
Dest. address:  
Scr. address type:  
Discard  
ICMP  
Host  
<LAN1 IP address>  
All  
10  
11  
Action:  
Protocol:  
Dest. address type:  
Dest. address:  
Scr. address type:  
Action:  
Discard  
ICMP  
Host  
<LAN2 IP address>  
All  
Discard  
UDP  
Two filters are required.  
Discards all packets to open router  
ports.  
Protocol:  
dest address type:  
dest address:  
Dest. port:  
Host  
Four filters are required.  
<LAN1 IP address>  
All  
Src. address type:  
Src. port:  
All  
All  
12  
13  
Action:  
Protocol:  
Discard  
UDP  
Host  
<LAN2 IP address>  
All  
All  
All  
dest address type:  
dest address:  
Dest. port:  
Src. address type:  
Src. port:  
Action:  
Discard  
Protocol:  
TCP  
Flags:  
All  
dest address type:  
dest address:  
Dest. port:  
Host  
<LAN1 IP address>  
All  
Src. address type:  
Src. port:  
All  
All  
14  
Action:  
Discard  
Protocol:  
TCP  
flags:  
All  
dest address type:  
dest address:  
Dest. port:  
Src. address type:  
Src. port:  
Host  
<LAN2 IP address>  
All  
All  
All  
07-12-99  
Version 1.0  
23  
 
DMZ Firewall Solution for the Express Router  
4.4.2.2 Transmit (Tx) filters on LAN2  
Set the default action to Pass.  
4.4.3 Internet Connection Filters  
4.4.3.1 Receive (Rx) Filters on the Connection to the Internet  
The required receive filters for the Internet connection, shown as they appear in Advanced  
Setup.  
×
Filters are defined as follows:  
Filter Function  
Settings  
Prohibit users on the secure network  
Default Action:  
Discard  
from accessing the Internet  
1
Allows HTTP from the Internet to the  
HTTP/FTP server on the DMZ.  
Action:  
Protocol:  
Pass  
TCP  
TCP flags:  
All  
Dest. address type:  
Dest. address:  
dest port:  
Host  
193.84.251.1  
= 80  
Src. address type:  
All  
07-12-99  
Version 1.0  
24  
 
DMZ Firewall Solution for the Express Router  
Filter Function  
Settings  
Src. port:  
Action:  
> 1023  
Pass  
2
3
4
Allows FTP (both active and passive)  
from the Internet to the HTTP/FTP  
server on the DMZ.  
Protocol:  
TCP flags:  
TCP  
All  
Host  
193.84.251.1  
= 21  
All  
> 1023  
Pass  
TCP  
ACK  
Host  
193.84.251.1  
= 20  
All  
> 1023  
Pass  
Dest. address type:  
Dest. address:  
dest port:  
Src. address type:  
Src. port:  
Action:  
Protocol:  
TCP flags:  
Dest. address type:  
Dest. address:  
dest port:  
Src. address type:  
Src. port:  
Three filters are required.  
Action:  
Protocol:  
TCP  
TCP flags:  
All  
Dest. address type:  
Dest. address:  
dest port:  
Src. address type:  
Src. port:  
Host  
193.84.251.1  
>1023  
All  
>1023  
5
6
Allows external ping to HTTP/FTP  
server on the DMZ.  
Action:  
Protocol:  
Dest. address type:  
Dest. address:  
Src. address type:  
Pass  
ICMP  
Host  
193.84.251.1  
All  
Pass  
Allows external HTTP from HTTP/FTP Action:  
proxy on the DMZ.  
Protocol:  
TCP  
TCP flags:  
ACK  
Dest. address type:  
Dest. address:  
Dest. port  
Src. address type:  
Src. port:  
Host  
193.84.251.2  
> 1023  
All  
= 80  
7
8
Allows external FTP from HTTP/FTP  
proxy server on the DMZ (see note 1).  
Action:  
Protocol:  
TCP flags:  
Dest. address type:  
Dest. address:  
Dest. port  
Src. address type:  
Src. port:  
Pass  
TCP  
ACK  
Host  
193.84.251.2  
> 1023  
All  
> 1023  
Pass  
Two filters are required.  
Action:  
Protocol:  
TCP  
TCP flags:  
ACK  
07-12-99  
Version 1.0  
25  
 
DMZ Firewall Solution for the Express Router  
Filter Function  
Settings  
Dest. address type:  
Dest. address:  
Dest. port  
Src. address type:  
Src. port:  
Host  
193.84.251.2  
> 1023  
All  
= 21  
9
Allows DNS reply to the HTTP/FTP  
proxy server on the DMZ.  
Action:  
Protocol:  
Pass  
TCP  
TCP flags:  
ACK  
Two filters are required.  
Dest. address type:  
Dest. address:  
Dest. port  
Src. address type:  
Src. address:  
Src. port:  
Host  
193.84.251.2  
> 1023  
Host  
194.25.6.4  
= 53  
10  
11  
Action:  
Protocol:  
Pass  
UDP  
Host  
193.84.251.2  
> 1023  
Host  
194.25.6.4  
= 53  
Dest. address type:  
Dest. address:  
Dest. port  
Src. address type:  
Src. address:  
Src. port:  
Allows DNS reply to the SMTP server  
on the DMZ.  
Action:  
Protocol:  
Pass  
TCP  
TCP flags:  
ACK  
Two filters are required.  
Dest. address type:  
Dest. address:  
Dest. port  
Src. address type:  
Src. address:  
Src. port:  
Host  
193.84.251.3  
> 1023  
Host  
194.25.6.4  
= 53  
12  
13  
Action:  
Protocol:  
Pass  
UDP  
Host  
193.84.251.3  
> 1023  
Host  
194.25.6.4  
= 53  
Dest. address type:  
Dest. address:  
Dest. port  
Src. address type:  
Src. address:  
Src. port:  
Allows incoming mail (SMTP) from  
any host on the Internet to the DMZ.  
Action:  
Protocol:  
Pass  
TCP  
TCP flags:  
All  
Dest. address type:  
Dest. address:  
Dest. port  
Host  
193.84.251.3  
= 25  
Src. address type:  
Src. port:  
All  
> 1023  
07-12-99  
Version 1.0  
26  
 
DMZ Firewall Solution for the Express Router  
Filter Function  
Settings  
14  
Allows outgoing mail (SMTP) to any  
host on the Internet from the DMZ.  
Action:  
Protocol:  
Pass  
TCP  
TCP flags:  
ACK  
Dest. address type:  
Dest. address:  
Dest. port  
Src. address type:  
Src. port:  
Host  
193.84.251.3  
> 1023  
All  
= 25  
15  
Allows incoming News (NNTP) from a Action:  
Pass  
specified external News server to the  
DMZ (see note 2).  
Protocol:  
TCP flags:  
TCP  
All  
Dest. address type:  
Dest. address:  
Dest. port:  
Src. address type:  
Src. address:  
Src. port:  
Host  
193.84.251.4  
= 119  
Host  
196.24.5.8  
> 1023  
Pass  
Action:  
16  
Allows outgoing News (NNTP) to a  
specified external News server from the  
DMZ.  
Protocol:  
TCP flags:  
TCP  
ACK  
Dest. address type:  
Dest. address:  
Dest. port:  
Src. address type:  
Src. address:  
Src. port:  
Host  
193.84.251.4  
> 1023  
Host  
196.24.5.8  
= 119  
Note 1: Only passive FTP connections are supported. The HTTP/FTP proxy must be configured  
to use a passive FTP connection.  
Note 2: The filter is not required when using a News proxy server on DMZ.  
4.4.3.2 Transmit (Tx) Filters on the Connection to the Internet  
Set the default action to Pass. No individual filters are required.  
07-12-99  
Version 1.0  
27  
 

Indesit Refrigerator CG 3100 User Manual
Intel Network Router 2200BG User Manual
JBL Portable Speaker P 432 User Manual
JL Audio Car Stereo System A4300 User Manual
JVC CD Player KD G210 User Manual
JVC Portable CD Player 0910TMMMDWMTS User Manual
JVC Projector G1500M User Manual
Kenmore Toaster 10090003 User Manual
Kenwood Oven Mini Oven User Manual
Klipsch Speaker R 2502 W User Manual