• Managing Access Rules, page 104
• Configuring Firewall Access Rules, page 103
• Using Content Filters to Control Internet Access, page 110
Configuring the General Firewall Settings
The default firewall settings should be sufficient for most small businesses.
However, you can use the Firewall > General page to disable the firewall or to specify the types of attacks that you want to block. You also can restrict potentially risky website features such as Java and cookies.
To open this page: Click Firewall > General in the navigation tree.
Firewall
Configuring the General Firewall Settings
7
NOTE
• If you want to disable the firewall (not recommended), you can do so only if you have configured the administrator password. If you are still using the default password, you must change it. For more information, see Changing the Administrator Username and Password, page 40.
• Before navigating away from this page, click Save to save your settings, or click Cancel to undo them. Any unsaved changes are abandoned.
Enable or disable the firewall and related features:
• Firewall: Choose to enable or disable the firewall. This feature is enabled by default and is strongly recommended to protect your network. Enabling or disabling the firewall also affects several related features, as described below. Disabling the firewall also disables Access Rules and Content Filters.
If you choose Disable and you are still using the default administrator password, a message appears. To protect your router from unauthorized access, you must change the password before you can disable the firewall.
Click OK to continue to the Password page, or click Cancel to remain on the current page. After you change your password, you can return to this page to resume this procedure.
• SPI (Stateful Packet Inspection): When enabled, this feature allows the router to review the information that passes through the firewall. It inspects all packets based on the established connection, prior to passing the packets for processing through a higher protocol layer. This feature can be enabled only when the firewall is enabled.
• DoS (Denial of Service): When enabled, this feature protects internal networks from Internet attacks, such as SYN Flooding, Smurf, LAND, Ping of Death, IP Spoofing, and reassembly attacks. This feature can be enabled only when the firewall is enabled.
• Block WAN Request: When enabled, this feature allows the router to drop both unaccepted TCP requests and ICMP packets from the WAN side.
Hackers will not find the router by pinging the WAN IP address. This feature can be enabled only when the firewall is enabled.
• Remote Management: When enabled, this feature allows you to connect to the router’s web-based configuration utility through a WAN connection. This feature is disabled by default. It can be enabled only when the firewall is enabled. If you want to enable remote management, you should first
Firewall
Configuring the General Firewall Settings
Cisco Small Business RV0xx Series Routers Administration Guide 101
7
default Port setting, 80, or enter another port number (8080 is usually used for this purpose).
NOTE: When remote management is enabled, you can use a web browser to access the configuration utility from anywhere on the Internet. In a web browser, enter http://<WAN IP address of the router>:port, or enter https://<WAN IP address of the router>:port if you have enabled the HTTPS feature.
• HTTPS: When enabled, this feature allows secured HTTP sessions. This feature is enabled by default.
NOTE: If you disable the HTTPS feature, then users cannot connect by using QuickVPN.
• Multicast Pass Through: When enabled, this feature allows IP multicast packets to be forwarded to the appropriate LAN devices. Multicast Pass Through is used for Internet games, videoconferencing, and multimedia applications. This option is disabled by default.
IMPORTANT: This router does not support passing multicast traffic over an IPSec tunnel. The multicast passthrough option determines whether the router allows the multicast traffic originating from the Internet to pass through the firewall to the LAN.
Restrict Web Features
• Java: Check the box if you want to block Java applets at the firewall. Java is a common programming language for websites. If you deny Java applets, you run the risk of losing access to Internet sites created with this
programming language. As a compromise, you can check this box to block Java on untrusted or unknown sites, while allowing Java on trusted sites (see Don’t block Java/Java/ActiveX/Cookies/Proxy to Trusted Domains below). By default, Java is not blocked.
• Cookies: Check this box if you want to block all cookies at the firewall. A cookie is data that a web site stores on a user’s PC. If you block cookies, a web site may not function as expected. As a compromise, you can check this box to block cookies on untrusted or unknown sites, while allowing them on trusted sites (see Don’t block Java/Java/ActiveX/Cookies/Proxy to Trusted Domains below). By default, cookies are not blocked.
• ActiveX: Check the box if you want to block ActiveX controls at the firewall.
ActiveX is a programming language for websites. If you deny ActiveX, you run the risk of losing access to Internet sites created using this
programming language. As a compromise, you can check this box to block ActiveX on untrusted or unknown sites, while allowing ActiveX on trusted
Firewall
Configuring the General Firewall Settings
7
sites (see Don’t block Java/Java/ActiveX/Cookies/Proxy to Trusted Domains below). By default, ActiveX is not blocked.
• Access to HTTP Proxy Servers: Check this box if you want to block access to HTTP proxy servers. Use of WAN proxy servers may compromise the router’s security. If you enable this feature, you block access to proxy servers using port 80 or 8080. As a compromise, you can check this box to block access to untrusted or unknown servers, while allowing access to trusted servers (see Don’t block Java/Java/ActiveX/
Cookies/Proxy to Trusted Domains below). By default, access to HTTP proxy servers is not blocked.
• Don’t block Java/ActiveX/Cookies/Proxy to Trusted Domains: If you blocked any of the web features, you can check this box to allow these features for the domains that you enter on the trusted list. (This area of the page is available only if you checked one of the other boxes to disable a web feature.) If you leave the box unchecked, then the selected web features are blocked for all websites.
- To add a domain to the trusted list: Enter the domain that you want to add to the trusted list. Then click Add to list.
- To add another domain to the trusted list: Enter the domain, and then click Add to list.
- To modify a domain in the trusted list: Click the domain. The information appears in the text field. Make changes, and then click Update.
- To remove a domain from the trusted list: Click the domain, and then click Delete.
Firewall