Zyxel 650H DSL modem packet filter setting

I would like to set up Zyxel 650H DSL modem as a firewall. I want it
to prevent all PCs in the LAN, except for the Proxy server, to access
the Internet. That is, everyone must go through the Proxy server for
http access.

I started at Filter Set Configuration menu (Menu 21). Then I created
a new Filter Set #. Then I try to create a new rule with these
parameters:
Active=Y
Protocol=6
Source address=10.15.51.11 (The proxy server's IP address)
IP Mask=255.255.255.0
Port=80 (Should it be 0 ???)
Port # Comp=None
Source address=0.0.0.0
IP Mask=255.255.255.255 (Should it be 0.0.0.0 ???)
Port= (Should it be 80 ???)
Port # Comp=None

Some of the settings that we want to try are not accepted. It said --
invalid source address or something like that.

Then we go to LAN setup (Menu 3), then sub menu 1 (LAN port filter
setup), then under OUTPUT filter set (at the protocol filter), we
assign the above filter set to it. This blocks EVERY PC including the
proxy from using http on the Internet.

Does anyone know how to set these things? (Our ISP, DSL prover, and
Zyxel rep don't know how to do it!!!)

Any help will be highly appreciated.
Thanks.
-Art

On 1 Aug 2003 04:37:38 -0700, artw <(E-Mail Removed)> wrote:
> I would like to set up Zyxel 650H DSL modem as a firewall. I want it
> to prevent all PCs in the LAN, except for the Proxy server, to access
> the Internet. That is, everyone must go through the Proxy server for
> http access.
>
> I started at Filter Set Configuration menu (Menu 21). Then I created
> a new Filter Set #. Then I try to create a new rule with these
> parameters:
> Active=Y
> Protocol=6
> Source address=10.15.51.11 (The proxy server's IP address)
> IP Mask=255.255.255.0
> Port=80 (Should it be 0 ???)
> Port # Comp=None
> Source address=0.0.0.0
> IP Mask=255.255.255.255 (Should it be 0.0.0.0 ???)
> Port= (Should it be 80 ???)
> Port # Comp=None
>
> Some of the settings that we want to try are not accepted. It said --
> invalid source address or something like that.
>
> Then we go to LAN setup (Menu 3), then sub menu 1 (LAN port filter
> setup), then under OUTPUT filter set (at the protocol filter), we
> assign the above filter set to it. This blocks EVERY PC including the
> proxy from using http on the Internet.
>
> Does anyone know how to set these things? (Our ISP, DSL prover, and
> Zyxel rep don't know how to do it!!!)



First make a rule to allow the proxy to access the net.

Filter #: X,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #=
Port # Comp= None
Source: IP Addr= 10.15.51.11
IP Mask= 255.255.255.255
Port #=
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Forward
Action Not Matched= Check Next Rule


Then deny anyone else on the LAN accessing the web.

Filter #: X,2
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 80
Port # Comp= Equal
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #=
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Drop
Action Not Matched= Forward

This will deny anyone from accessing the web but if the rule X,1 is
true then x,2 will never get tested so the proxy can pass through OK.

Note its important for the last filter set of the group of filter rules u
use to contain Action Not Matched= Forward, other wise any packets getting
this far will be dropped.

Many thanks for your help. It works well. I can follow the logic of
your two steps and see how it works.

But I don't understand why can't we do it with one rule like this:

Filter #: X,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 80
Port # Comp= Equal
Source: IP Addr= 10.15.51.11
IP Mask= 255.255.255.255
Port #=
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Forward
Action Not Matched= Drop

Assuming we want to drop everything except port 80 of #11.
When I do this, the #11's browser cannot access the Internet. Is it
because the browser is using other ports in addition to port 80 ???
What's wrong???

Regards,
-Art

Max <(E-Mail Removed)> wrote in message news:<3f2d30e1$0$254$(E-Mail Removed)>.. .
> First make a rule to allow the proxy to access the net.
>
> Filter #: X,1
> Filter Type= TCP/IP Filter Rule
> Active= Yes
> IP Protocol= 6 IP Source Route= No
> Destination: IP Addr= 0.0.0.0
> IP Mask= 0.0.0.0
> Port #=
> Port # Comp= None
> Source: IP Addr= 10.15.51.11
> IP Mask= 255.255.255.255
> Port #=
> Port # Comp= None
> TCP Estab= No
> More= No Log= None
> Action Matched= Forward
> Action Not Matched= Check Next Rule
>
>
> Then deny anyone else on the LAN accessing the web.
>
> Filter #: X,2
> Filter Type= TCP/IP Filter Rule
> Active= Yes
> IP Protocol= 6 IP Source Route= No
> Destination: IP Addr= 0.0.0.0
> IP Mask= 0.0.0.0
> Port #= 80
> Port # Comp= Equal
> Source: IP Addr= 0.0.0.0
> IP Mask= 0.0.0.0
> Port #=
> Port # Comp= None
> TCP Estab= No
> More= No Log= None
> Action Matched= Drop
> Action Not Matched= Forward
>
> This will deny anyone from accessing the web but if the rule X,1 is
> true then x,2 will never get tested so the proxy can pass through OK.
>
> Note its important for the last filter set of the group of filter rules u
> use to contain Action Not Matched= Forward, other wise any packets getting
> this far will be dropped.

On Mon, 04 Aug 2003 00:59:46 -0700, artw wrote:

> Many thanks for your help. It works well. I can follow the logic of your
> two steps and see how it works.
>
> But I don't understand why can't we do it with one rule like this:
>
> Filter #: X,1
> Filter Type= TCP/IP Filter Rule
> Active= Yes
> IP Protocol= 6 IP Source Route= No Destination:
> IP Addr= 0.0.0.0
> IP Mask= 0.0.0.0
> Port #= 80
> Port # Comp= Equal
> Source: IP Addr= 10.15.51.11
> IP Mask= 255.255.255.255
> Port #=
> Port # Comp= None
> TCP Estab= No
> More= No Log= None
> Action Matched= Forward
> Action Not Matched= Drop
>
> Assuming we want to drop everything except port 80 of #11. When I do
> this, the #11's browser cannot access the Internet. Is it because the
> browser is using other ports in addition to port 80 ??? What's wrong???

That should work also, for plain HTTP connections at least. You'll
probably also want to add additional (similar) rules to handle ports 443
(HTTPS) and perhaps 8000 and 8080 (which are commonly used as alternative
ports - but also for publicly-accessible proxies!)

To be honest, if you want to set outbound policies, I don't really think
that ZyXEL's filter is up to the job. It's hard to create a *maintainable*
inbound/outbound policy using only 4 x 6 = 24 rules (maybe the 650 is less
limited than the models I've seen). It's probably worth your while looking
at some of the "professional" firewall products out there - start with
Astaro Security Linux <http://www.astaro.com> and work your way up (if you
feel the need).

Best Regards,
Alex.
--
Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950 <http://www.assursys.com/>