Security Profile

The security profiles control the firewall: what to allow and what to refuse.
Only advanced users are recommended to change the security profiles.

Press "Get default values" to restore the security profiles to their original values.

NOTE! Press "Save" after your settings!


Allowed applications

Applications allowed to get in through the firewall (from WAN to LAN):

Web, Telnet, SSH, FTP server - Check box if you have any of these servers on your LAN, and you want computers on the Internet to be able to access them. Enter the server's local IP address. The FTP server Port field controls your external FTP port - your FTP server shall still listen to port 21!
Access servers from inside using WAN IP address - Check box if you want to be able to access your web, telnet, ssh or ftp server from inside using your global IP address. If box is not checked the servers can only be reached using their local IP address.

PING receiver - Check box if you want ping-requests from the Internet answered by a PC on your LAN. Enter the PC's LAN IP address.
(Not recommended, as it is a security risk at "flood-pinging")
SIP - Check box if you want incoming SIP messages to be allowed through / answered.
Remote configuration - Check box(es) if you want the configuration web interface (these pages) or the command line interface (Telnet) resp. to be accessible from the Internet.
(NOTE! Extreme security risk! Not recommended!)
ICQ 2003a/Lite - Check box if you want to communicate with other ICQ users.
NOTE! Port range is set to 1024-2048, you must specify this range in ICQ. Follow the link under "Read more online" (bottom of page) for instructions.
NOTE! Security risk (opens up a large hole in firewall)! Not recommended. If you only want to utilize the "Send Message" feature check ICQ box under "Applications from inside" instead (more secure).

Multi-user gaming support:
Some games where many users can play with each other over the Internet demand that the firewall allows non-conventional data traffic. The "Lo" security profile is pre-configured for most such games (as "All" is checked at "Applications from inside" and "loose UDP" is enabled). Some DirectX-based games though might demand that the DirectX checkbox is enabled.
DirectX - Check box if you want to play games using the Microsoft DirectX communication module:
(Ages of Empire, Midtown Madness, Motocross Madness, most Microsoft-games, many Windows-games)

NOTE! Press "Save" after your settings!


VPN Pass-through

VPN tunnels to allow through the firewall. For each tunnel enter:
Protocol - VPN communication protocol used in the tunnel.
Local client IP - IP address of local VPN client the tunnel is going from.
Remote server IP - IP address of remote VPN server the tunnel is going to.

Enter both endpoints' IP for each tunnel. Each tunnel must have a unique remote server IP address, meaning no two tunnels are allowed to go to same remote server.

To enter more rows than available click Save, and new empty rows will be added.

NOTE: If you have activated the built-in VPN server but still want to allow some VPN tunnels pass-through the firewall you must specify all fields for those tunnels!

Read more online:
VPN Pass-through

NOTE! Press "Save" after your settings!


Enter port redirections

Manual port redirections from WAN to LAN ports. (only for advanced users)

TCP connections - Rules for data traffic using TCP packets.
UDP connections - Rules for data traffic using UDP packets.
outside port(s) - WAN port(s) to be opened.
inside host - IP address of LAN PC that should receive the data traffic.
inside port - Leave blank if same as outside ports!

To enter more rows than available click Save, and new empty rows will be added.

NOTE! Press "Save" after your settings!


Enter IP redirections

Manual IP protocol/address redirections from WAN to LAN. (only for advanced users)
Redirections selected in priority order, 1:st row first.

Protocol - Protocol number or (for common protocols) name. Leave blank for "all protocols".

To enter more rows than available click Save, and new empty rows will be added.

NOTE! Press "Save" after your settings!


Enter additional rules (Only for the advanced user!)
NB! Changing these settings requires in depth knowledge!

Advanced users can here add manually written firewall rules to the automatically generated ones.

Insert at position - Firewall ruleset to add rule to, as seen on Firewall Rules page. (NOTE! All three fields MUST be chosen!)
pre - add rule before the automatically generated ones - the rule will have higher priority.
post - add rule after the automatically generated ones - the rule will have lower priority.
subst - substitute automatically generated rules with the entered one. WARNING! No rules will be auto-generated for that ruleset!
Firewall rule - ONE firewall rule to add at specified position.

To add multiple rules to a ruleset enter multiple entries. To add more entries than available lines press "Save" and additional empty lines will appear. To delete entries set their position fields to empty.

Read more online:
Edit rules for security profile

NOTE! Press "Save" after your settings!
After editing these settings it is highly recommended to check system log and Firewall Rules Status page for errors.


Applications from inside

Applications allowed to get out through the firewall (from LAN to WAN):

All - Allow all outgoing data traffic to pass through. No filtering. (NOTE! Security risk! Not recommended!)
All TCP - Allow all outgoing TCP packets to pass through. (Not recommended)
All UDP - Allow all outgoing UDP packets to pass through. (Not recommended)
Web - Allow web access ("surfing").
NNTP - Allow access to newsgroups.
POP3 - Allow reception of e-mail.
IMAP - Allow reception of e-mail.
SMTP - Allow sending e-mail.
FTP - Allow file transfers.
Ping - Allow outgoing ping (a LAN PC pinging to a PC on WAN / Internet).
Yahoo! Messenger 5.5 - Check box if you want to communicate with other Yahoo! Messenger users.
AOL Instant Messenger (AIM) 5.1 - Check box if you want to communicate with other AOL Instant Messenger users.
Net2Phone 1.0 - Check box if you want to utilize the Net2Phone application.
ICQ (Send Message only) - Check box if you only want to send messages to other ICQ users. To utilize the more advanced feautures check ICQ box under "Allowed applications" instead.
inside -> DMZ - Allow all, all TCP or all UDP traffic from LAN to DMZ.
Other TCP ports - Open specific port numbers (only for advanced users) (several ports can be entered, separated by comma)
Other UDP ports - Open specific port numbers (only for advanced users) (several ports can be entered, separated by comma)
Administration (Telnet) - Allow access to command line interface.

NOTE! Press "Save" after your settings!


General settings

Other security profile settings:

Loose UDP (Peer-to-peer gaming) - Many games use "loose UDP" for communicating between several users over the Internet:
e.g. BattleZone1.4, Dark Reign1.4, Diablo, HeavyGear2, Quake I/II, StarCraft, WorldCraft, and most of the games from Activision
Check the box to allow such traffic to pass through.
Disable "ICMP close" (Port Unreachable) - Avoid "UDP connections" from being closed by ICMP Port Unreachable messages.
Enable strict TCP inspection - Uncheck this if encountering compatibility problems with certain servers.
Inactivity timeouts - Close the connection if no data has been transmitted for the specified time. Specific timeouts for particular ports/protocols may be added.
FTP proxy mode - Select if FTP traffic should be subject to the internal FTP proxy. "Disabled" means that only address translation (NAT) is performed. NB! FTP traffic is still admitted/rejected based on the other FTP settings on this page.
Firewall Log - Select the extent of the firewall log.
NB! Not all intended packets will be logged under heavy load. NB! Enabling this feature can affect performance, e.g. throughput.
Forward to syslog server - Select the data to be copied from the firewall log to an external syslog server. See also "Administration".
Verbosity level - Select a higher value for more information in the log output.
Include link layer information - For example Ethernet headers.
Log raw data - Restricts how much of the logged data that is shown in raw (hex or ASCII) form, default is null bytes.
Exclude protocol headers - For example IP and TCP headers.

NOTE! Press "Save" after your settings!


Read more online:
Security Profile