Wireless Group Policy WLAN Radius Part 3 WLAN Radius Config WLAN Client Config Linksys BEFSR41 Firmware Linksys BEFSR41 101 Linksys WAP54G config More Linksys BEFSR config Security how-to Writing DNS Zonefiles Is ZoneAlarm Spyware? Linksys Wishlist Sendmail spamblock Bind

[netmenu.html]

Privacy Feedback

Setting up a Symantec Firewall/VPN 100

Getting started with this firewall is fairly simple. By default, the DHCP server is enabled, so as soon as you've turned it on and connected your computer to it, you should get an IP address from the firewall. The default settings for the DHCP server is to hand out addresses from 192.168.0.100 through 192.168.0.150 ... Once you have an IP address, it's time to start. Open a web-browser and head to 192.168.0.1.

Once you're logged in (check the manual for username and password information), you should change the default password. Click on the "Change Password" link at the bottom of the "General" section, type in a new password twice and click on "Save".

Most ISPs use a DHCP server to hand out IP addresses to their customers. By default, the SFV is set to receive an IP address by this method. Also, some ISPs (such as attbi) uses the MAC address of a Ethernet interface to ensure that only authorized clients gets an IP address. On the "Main Setup" page, you have to option to enter a MAC address that already registered with your ISP, thus avoiding having to call your ISP and wait on hold for hours while they register a new MAC address. Other ISPs uses assigned hostnames and/or domain name for authentication. If so, enter the information in the "host name" and "Domain name" field. 

Static IP address

If you have a static IP address from your ISP, then click on the "Static IP & DNS" link and enter in the IP information given to you by your ISP. Also, enter more that one IP address for DNS server ...

Essentially, if you've connected the SFV to your internet connection (cable modem, DSL router or the router provided by your ISP), you should already be connected to the internet.

Wait, there's more...

DHCP server

On the "LAN IP & DHCP" screen, you get to change the IP address and network mask for the SFV, and also the range of IP addresses that the DHCP server gives out. If you make any changes here, make sure that the information is correct! I haven't tried having it hand out IP addresses on a different subnet from the unit, but it's not recommended.

DNS Server info

A couple of things regarding DNS. If you have a static IP address, please enter more than one DNS server. The SFV DHCP server gives out its own IP address as the sole DNS server, and the SFV acts a DNS proxy forwarding your requests to the external DNS servers it has gotten either via DHCP or by static entry. On the "Static IP and DNS" page, there's an entry for DNS Gateway IP. If you have an internal DNS server, you can enter the IP address of this server here. The SFV will then forward all DNS requests to this IP address for resolution. Very handy feature. However, be careful not to set your DNS server to forward DNS requests to the SFV, as you'll get into a loop, and nothing will resolve (trust me, I've been there...)

Access control.

The SFV uses access groups to grant or deny access to the internet. There are 5 groups, named "group1" through "group4" and "everyone". By default, everyone is a member of the "Everyone" group. Kinda goes without saying. One the "Access Filter" screen, you can specify the filter settings for each group. Depending on your needs, you can be as forgiving or restrictive as you want. 

If you don't care, you can set the Group Filters for the "Everyone" group to "No Restrictions", and everyone behind the firewall will have full access to the internet. 

The most restrictive setting would be setting the Group Filters for "Everyone" to "Block all internet Access", and then set the Group filters for i.e. "Group1" to "Use packet filters below" and then select the protocols you want to allow. You can also add up to 5 custom filter for TCP and 5 for UDP. Note that the custom filters are specific to the access group where you create it. Don't forget to grant them access to DNS... Also note that granting the "HTTP" access does not include HTTPS, so unless you add a custom service for port 443, the group will not have access to secure websites!

Adding computers to Access Groups could be somewhat time consuming, as you need to make sure you get all the MAC addresses right. To use this feature, go to the "Host IP and Group" screen. Type in a name for the computer you're adding. If you only have one laptop, "laptop" would be a good choice. Next, enter the MAC address of the network card on the computer. If you want it to always get the same IP address, enter the IP address in the "Reserved IP address" field, and make sure it's inside the range of addresses the DHCP server would hand out. You don't have to use this feature to take advantage of the Access Group features. Next, pick a group, and click "Add". Repeat for all the computer you want to add to groups. If you've already defined the filters for the various groups, the restrictions will already be in place. 

One gripe: If HTTP is disallowed, you don't get an error page telling you why the page isn't loading, instead you get the long wait while the browser it attempting to connect, then you get the standard "couldn't connect to server" page...

Virtual Servers

If you want to host your own servers, the feature to use is "Virtual Servers". There's a number of servers predefined (such as HTTP, FTP, SMTP, etc). For using one of these, simply enter the IP address of the server on the LAN side you want the world to have access to, and check off the "Enable" box. 

If you want to host a server that's not on the default list, you'll have to go to the "custom virtual server" page, and create your own entry. It's fairly simple. Type in a name for the service, check off the "Enable" box, enter the LAN IP address of your server, select the correct protocol (TCP/UDP), then enter the internal and external port ranges. Unless you need some sort of port-translation, these ranges should be the same. Click "add", and you've created your own virtual server. If you need to disable or edit the service, pick it from the "Select Entry" drop-down box, click "Update fields below", make the changes and click "update entry".

Special Applications. 

Certain application with 2-way communication need ports opened up in the firewall in order to work properly. This is especially true for some online games and video/tele conferencing software. Basically, what happens is that when the firewall detects certain type of traffic outbound, it opens up a define port (or port-range) for inbound traffic to the client that initiated the outbound connection. 

My favorite example of this is actually SMTP. Most mail servers uses the Ident service for authentication. Whenever you connect to a SMTP to send e-mail, it will respond by making a connection back to you to verify that you are who you say you are. Since the firewall simply drops this connection attempt, the SMTP server has to wait until the connection times out before completing the mail transfer. To speed things up, you can create an entry in "special applications" to allow the ident connection. Here's how: Enter a suitable name (SMTP comes to mind), check of the "Enable" box, select TCP as outgoing protocol, and enter 25 as outgoing port range (both fields). Next, select TCP as incoming protocol, enter 113 as outgoing port range (both fields), and click "Add". Now, every time you sent E-Mail, you'll allow the SMTP server to connect back to you, thus completing the mail exchange uninterrupted.

DMZ

The "DMZ" feature allows one computer to be exposed to the internet. The term "DMZ" is poorly chosen, as this feature really has nothing to do with a DMZ at all. However, if you have a computer that must be totally exposed to the internet, then this feature would allow that. Read the caution before use!

Logging

You should consider either using a syslog server, or have the logs e-mail to yourself. On the "Log Settings" page, you can enter the address of a syslog server, mail server, and e-mail address of sender and recipient.

As for log content, there really isn't that much logged, but you should probably log at least "Detected attacks" and possibly "system activity". I didn't notice any difference by adding "dropped packets", but that might just be me... I'm not impressed by the logging, but you might be able to get more detail using a syslog server... 

More about Ident

On the "Expert Level" page, there's an option to close the ident port rather than "Stealthing" it. By enabling this feature, the firewall will respond with a "we're closed" reply rather than not responding at all. This will also remove that annoying delay when sending e-mail without using the "Special Application" setup that I described above.

Well, that's the basics, and a bit beyond. The remaining functions are features that most people would not have to deal with. VPN configurations are not something that can easily be discussed in a paragraph or two, as these have to be specifically configured depending on the hardware at the other end. Routing is only applicable if you have more than one router, and is way beyond "basic". I have no experience with the dialup backup feature, so I cannot help with that. However, it looks pretty straight-forward... 

Don't underestimate the usefulness of Symantec's' own website; there wasn't much information about SFV before, but now they have quite a few articles in their knowledgebase.

© 1999-2005 Lars M. Hansen