Remote Access Filters control inbound access. This control is primarily on Tunnels, but is also on inbound access from any attached network to any interface on the GTA Firewall. A Remote Access Filter must be in place before a Tunnel A secure virtual connection through the Internet or an intranet. can be accessed. See Managing Filters at the beginning of this chapter for filter set information, tips and fields for filters.
TCP, UDP, ICMP, IGMP, ESP, AH or any other protocol The procedures that are used by two or more computer systems so they can communicate with each other. defined in IP Protocols can be matched against the packet A sequence of data and control characters (binary digits) in a specified format that is switched/transferred as a whole..
Generally, it is best to select and configure system Preferences (in Basic Configuration) and Inbound Tunnels before Remote Access Filters. This allows the creation of a set of auto-configured filters that reflect the systemís configuration. These filters can be used as is, or modified to suit the local network security policy.
Some events which are implicitly blocked and logged by the firewall are known to be harmless. To suppress the logging of these ěbenignî protocols, create and enable a Remote Access Filter that will explicitly block the protocol, but not log the event. Use these parameters:
Type Deny (to block the protocol.)
Interface Interface for which block event should not be logged. To ěno logî the event on all interfaces,
select <ANY>.
Protocol Protocol to block.
Log No.
Select the source address and ports and destination address and ports for which this blocked protocol event should not be logged.
Order is important. Place the No Log filter in the set after any filters that specifically allow and/or log this event in certain cases, and before more restrictive filters.
By default, the PSN is untrusted by the Protected Network and may not initiate connections between the two, just as the External Network is untrusted by the networks behind the firewall. However, sometimes it is more efficient to allow the PSN to access a Protected Network for selected services.
Access should be as limited as possible: you can use either an inbound tunnel with an Auto Accept filter or an Allow Remote Access Filter and tunnel on the Protected Network. Using a Remote Access Filter allows the administrator to tightly regulate access and use Network Address Translation to hide the real IP address of the Protected Network from the PSN ń and any potential hacker A person who writes programs in assembly language or in system-level languages, such as C. The term has become synonymous in the vernacular with "cracker," a person who gains entry to a network through illegal or questionable means. See cracker..
The PSN to PRO filter should include these parameters:
Type Accept.
Interface PSN.
Protocol <ALL> or select the desired protocol.
Select the Source IP address and port from which this access will be initiated, then select the connectionís Destination IP address and port on the PSN which should match the beginning of the tunnel.