Description of Firewall Filter This description is valid for the configuration file of the Filter Wizard (file "filterwizardtab.txt" version 1.13) of your PABX. You will find the following information in this text: - Basic description of the Firewall - Description of the procedure to update the Filter Wizard - Detailed description of all predefined filters in the configuration file Basic Description of the Firewall ---------------------------------------------------------------- The PABX contains a router for xDSL and ISDN that is protected by a packet filter Firewall. To have unrestricted access to the Internet, the Firewall is not pre-configured in the default settings. A minimum level of security against attacks from the Internet is given by the (always activated) use of Network Address Translation (NAT). If this seems to be not enough protection, you can configure the integrated Firewall. The configuration of the Firewall is made by the definition of filters. The order of filters can be changed in the table "IP filter". It is recommended to configure the Firewall with the Filter Wizard to get the best available protection against attacks from the Internet. This will also enable the correct function of the automatic disconnect (Shorthold). The router part of the PABX offers port-mapping as an additional feature. You can make services of the LAN available in the Internet. Application examples are e.g. participation in Peer-to-Peer file sharing networks or the operation of servers that have to be reachable from the Internet. With port-mapping a path through the Firewall will be opened. TCP and UDP packets addressed to a certain port (or port area) of the external IP address of the PABX are forwarded to a computer in the LAN. If port-mapping and the firewall configuration of the Filter Wizard have to be used at the same time, it is necessary to adapt the filters produced by the Filter Wizard so that they do not conflict with the port-mapping configuration. In the default settings port-mapping is not activated due to security reasons. You will find information about the configuration of port-mapping in the file DSL_Rou.pdf on the CD enclosed with this product. The configuration of a Firewall normally demands in-depth knowledge of the protocols and procedures used in the Internet. There is an assistance in the configuration software of the PABX, the "Filter Wizard". It will help you to configure the Firewall without this knowledge. The configuration software has a button under the [network] [filter] to start the Filter Wizard. Description of the Procedure to Update the Filter Wizard ------------------------------------------------------------------------------------------------------- It may be necessary to add an update to the configuration of the Firewall to enable new applications or to reject certain malicious attacks from the Internet. The Filter Wizard supports this option by working with a description file that you can easily update without having to download a firmware update into the PABX or update the PC software (e.g. new configuration software). The version number of the Filter Wizard description file in uses can be read in the first line of the Filter Wizard window. Please check regularly the availability of a new description file (name: "filterwizardtab.txt" and "Filter_Info.txt") on http://www.elmeg.com The file "filterwizardtab.txt" controls the filter entries made by the Filter Wizard. The file "Filter_Info.txt" contains this filter entry description that may be viewed under "Network, Filter" by clicking on "Help". If you find a more recent version (on http://www.elmeg.com) of the description file, you are able to download it on your PC and to overwrite the already existing file. The files are in the subdirectory "filterinfo" of the installation directory containing the configuration software of the PABX (e.g. C:\Programme\elmeg WIN-Tools\WIN-Tools V6.00\filterinfo). If you start the Filter Wizard again then and click on "Default settings", the new filter will be available immediately (If this button is greyed out, you may activate the button by changing the setting of any filter (on/off) in the Filter Wizard). The description file is attentively done in text format to make the configuration of Firewall as transparent as possible. But reading the description file demands the above mentioned pre-knowledge. Important: ------------- Please check our website regularly (http://www.elmeg.com) for a new version of the description file "filterwizardtab.txt" and of this help file (Filter_Info.txt) and use it, if possible. The Firewall filters contained in the file "filterwizardtab.txt" can only be loaded with the Windows configuration software into the PABX. Then the Filter Wizard offers the option to load certain filters individually into the Firewall of the PABX. After the Filter Wizard has entered the selected filters into the filter table by clicking on "Finish", this configuration has to be transferred into the PABX. Attention: Read the configuration of the PABX first and use the Filter Wizard afterwards. Otherwise you will overwrite the current configuration of the PABX! Proposed Order: 1. Start the configuration program of the PABX 2. Read out the configuration of the PABX, change into the expert view if necessary 3. Configure the Firewall with the Filter Wizard 4. Transfer configuration into the PABX If you use the filters of the Filter Wizard for the Firewall, the behaviour of the Firewall will be the opposite of the default settings: In the default settings the Firewall allows all packets to pass (with the exception of NetBios Name Service Broadcasts, see below). The Filter Wizard changes this behaviour: All packets that are not subject to any specific rule for passing the Firewall will be rejected. The rules that enable the passing of the Firewall for IP packets are called filters. Please pay attention to the following advice: - The prepared filters of the Filter Wizard are defined to the best of our knowledge. But no responsibility can be taken for the function of the filters. - The use of a Firewall should be combined with the use of an anti-virus scanner software on all PCs! The Firewall and the anti-virus scanner cover different ranges of data security and can perfectly complement but never replace each other! - Changes to the file "filterwizardtab.txt" do not lead to a predictable behaviour of the configuration software or the PABX (as well as the integrated Firewall). - Only activate the filters you absolutely need. If there are more activated filters that enable certain services, they will automatically produce "bigger holes" in the Firewall. More filters also need more processing power in the Firewall. This may have negative influence on the performance. - Always save the last functioning configuration of the PABX in a file. - The order of filters can be changed in the table (buttons "up", "down"). For the function of the Firewall the order of entries in the table can be very important. Additional advice on the configuration of the Firewall can be found on a number of Websites in the Internet. You can find these by entering a term like "ipfwadmin" into a search engine. Detailed Description of all Filters pre-configured in the Configuration File --------------------------------------------------------------------------------------------------------------- The Firewall is configured to deny all data packets that are not covered by an explicit rule (filter) to allow passing the packet. This procedure will make the configuration of the Firewall a little bit more intensive. But it reduces the chance to "forget" to forbid some packets to pass through the Firewall. Some filters may contain rules to refuse packets, these rules are not absolutely necessary for the selected basic configuration of the Firewall. The Firewall rejects all packets that were not accepted by the filters after the configuration with the Filter Wizard. Nevertheless the above-mentioned refusing filters are contained to reject the packets in case of certain attacks as soon as possible to avoid running through the whole chain of filter rules. This increases the performance of the Firewall in case of a port scan or an attack. The term "unprivileged ports" is used for the ports 1024 - 65535. The ports 61000 - 65000 are called NAT ports. Please pay attention to the following: Some of the filters are encapsulating others. That means there are filters that open the Firewall more than others. In this "open" range there may be other filters (that would open a smaller range) that do not have to be activated for the connected application. If the Firewall has to be used to block certain applications out of the LAN (e.g. Peer-to-Peer File sharing), you always have to test if the goal of the configuration has been reached. The Firewall represents a chain of filters. The order of filters also decide on the efficiency of certain filters. The first rule that applies to an IP packet, decides whether a packet is tolerated or rejected. Therefore the filters entered into the table "IP filter" by the Filter Wizard will not sometimes match the order presented in the Filter Wizard. Filter name: Protect System This filter protects the Firewall against connections to the privileged ports (0 ... 1023) for TCP and UDP. Most of the relevant data services are offered via the privileged ports (name resolution, file transfer, etc.). Filter name: Block IP Spoofing This filter protects the Firewall against simulated packets "on the wrong side" of the Firewall. Data packets being part of the LAN because of their IP address but faked by an attacker out of the Internet and running through the DSL modem will be ignored. (this is also valid for ISDN connections into the Internet). Filter name: DNS Filter This filter enables the name resolution (assignment of IP addresses to URLs). UDP as well as TCP packets outgoing to port 53 and incoming from port 53 will be accepted. By using TCP also longer answers and zone transfers are possible. If this filter is switched off, no DNS queries may pass the Firewall. The use of the Internet will be nearly impossible! Filter name: Active FTP This filter enables, together with the corresponding software module in the Firewall, active FTP. Active FTP differs from passive FTP: The FTP server establishes a connection for the data transfer on demand by the clients (that is valid for the answer to the FTP command "ls" and for the data transfer itself). The problem is that the connection of the FTP server is established to any unprivileged port of the FTP client and therefore a large range of the Firewall has to be opened. Outgoing connections to ports 20 and 21 (TCP) as well as incoming connections from these ports to unprivileged ports are accepted. Filter name: Passive FTP This filter enables the data transfer via FTP: The connection is always established by the FTP client. Outgoing connections to the port 21 (TCP) as well as incoming connections from this port to unprivileged ports are accepted. Web browsers use, if possible, passive FTP for file download (if this is not handled via HTTP). Filter name: HTTP This filter enables to browse the Web. Packets on ports 80 (TCP) and 8080 (TCP, for the use of HTTP proxies) for outgoing connections and incoming packets on NAT ports from these ports will be accepted. Filter name: HTTPS This filter enables secure Web browser access. Packets on port 443 (TCP) for outgoing connections and incoming packets from this port to NAT ports will be accepted. The protocol HTTPS is often used for online banking and shopping, HTTP connections are used for the transfer of encrypted packets. Filter name: Online banking This filter enables the use of HBCI for online banking. Packets on port 3000 (TCP) for outgoing connections and incoming packets to the NAT ports will be accepted. At the same time the port 866 (TCP) will be opened used by the T-Online software for online banking. Filter name: E-mail This filter enables the transfer of e-mails: - via SMTP (= send an e-mail): Packets on port 25 (TCP) for outgoing connections and incoming packets from this port to NAT ports will be accepted. - via POP3 (= receive an e-mail): Packets on port 110 (TCP) for outgoing connections and incoming packets from this port to NAT ports will be accepted. - via IMAP: Packets on the ports 143 and 993 for outgoing and incoming connections will be accepted on NAT ports. Filter name: ICMP This filter enables the use of the service program "ping" to e.g. measure the availability of computers on the Internet and the travel time of IP packets to these computers. This is helpful e.g. for Internet games to find the fastest answering server. If this filter is switched on, "ping" can be used out of the LAN. Also the service program "traceroute" or "tracert" can be used. This filter enables the sending of ICPM packets with the protocol "echo request" into the Internet only. On the receiver side all ICMP protocols may pass through the Firewall. With this filter the Firewall is protected from being "pinged" itself: Connection attempts to the external IP address of Firewall will produce outgoing IP traffic (e.g. destination unreachable) in case of rejecting. This behaviour is important for the following cases: - The Firewall itself is "hidden". With simple methods nobody can detect its IP address as a potential destination for attacks. - The external IP address of Firewall is assigned by the ISP when establishing the connection. The ISP has an address pool and these addresses are used again and again. It may happen that an IP address was assigned and being used e.g. by a subscriber of a Peer-to-Peer network some times ago. Until the information is distributed in this network that the former offering is not available anymore under this IP address a lot of time will go by. In this timeframe a lot of connection attempts will happen from the Internet to the Firewall that will be refused by the Firewall with a corresponding answer packet. This would reduce your upstream bandwidth and restart the timer for the connection idle timeout. This may lead consequently to the fact that the Internet connection is not automatically disconnected and additional charges may occur depending on the selected tariff of the Internet access. You may narrow this filter by only enabling the ICMP protocols really needed (e.g. echo-request, echo-reply, destination unreachable). Filter name: Peer-to-Peer File Sharing and Internet Radio This filter enables the use of Peer to Peer (P2P) file sharing software. To be able to offer a single filter for the many different P2P systems and Internet Radio providers, the following port settings are pre-configured: - from NAT ports to all not privileged ports for TCP - from NAT-Ports to all not privileged ports for UDP This filter opens the Firewall very much! Filter name: Realplayer This filter enables the use of the Realplayer for the streaming of audio and video. The following port settings are pre-configured: Incoming packets: - from port 554 to unprivileged ports for TCP - from port 7002 to unprivileged ports for TCP and additionaly for incoming packets - from unprivileged ports to ports 6970 - 7170 for UDP Filter name: Mediaplayer This filter enables the use of the Mediaplayer for the streaming of audio and video. The following port settings are pre-configured: - from port 1755 to unprivileged ports for UDP - from port 1755 to unprivileged ports for TCP Filter name: VPN (PPTP) This filter allows packets to pass for the TCP test connection that is used for PPTP VPNs. Data that is exchanged with the VPN is transferred with GRE packets that can pass through the firewall if the TCP test connection has been set up correctly. Packets are enabled for this to port 1723 (TCP) for outgoing calls and incoming packets from this port to the NAT ports. Filter name:Internet News This filter provides access to News servers by enabling packets for outgoing calls to port 119 (TCP) and incoming packets from this port to the NAT ports. Filter name: Internet Relay Chat (IRC) This filter provides access to IRC servers, port enabling: - Port 113 for outgoing calls from NAT ports and their reply packets, - Ports 6660 to 6669 for outgoing calls from NAT ports and their reply packets, - Ports 7000 to 7002 for outgoing calls from NAT ports and their reply packets. Filter name: Peer-to-Peer file sharing with High ID (additional filter) This filter permits you to use Peer-to-Peer (P2P) file sharing software that employs assigning of privileges to users who themselves can suggest valid options (High ID). The corresponding computer must be accessible for this for connections initiated from the Internet, i.e. Port forwarding must be configured. Attention: Also activate the filters "DNS", "http" and "Peer-to-Peer Filesharing and Internet Radio". Attention: Automatic termination of connections after a defined period of inactivity will not function as long as queries from the Internet are directed to your router! These queries are, however "not visible", meaning you should use the ControlCenter function "Inhibit router" to terminate the Internet connection. Attention: You may have to adapt the ports and IP addresses for the target PC in the LAN appropriately for this. Attention: The computer to which the ports are forwarded is completely unprotected at these ports (as if the computer were connected directly to the Internet via these ports). Settings: - Port 4662 (TCP) is also forwarded to the computer with the IP address 192.168.1.42 in the LAN for connections that are being set up. - Port 4567 (UDP) is forwarded to the computer with the IP address 192.168.1.42 in the LAN. Filter name: Remote administration using Win2k This filter permits remote administration for Windows 2000 servers. Attention: Automatic termination of connections after a defined period of inactivity will not function as long as queries from the Internet are directed to your router! These queries are, however "not visible", meaning you should use the ControlCenter function "Inhibit router" to terminate the Internet connection. Attention: Ports und IP-Adresse des Ziel-PCs im LAN müssen ggf. angepasst werden. Attention: The computer to which the ports are forwarded is completely unprotected at these ports (as if the computer were connected directly to the Internet via these ports). Setting: - Port 3638 (TCP) is forwarded on to the computer with the IP address 192.168.1.42 in the LAN for connections that are being set up. Filter name: Gaming This filter permits connections to be set up to gaming servers, for example for playing Counterstrike. Port enabling is used for connection of NAT ports to port 7002 (TCP) and their reply packets, and UPD packets from NAT ports to non-privileged ports and their reply packets. Filter name: Webserver Portmap This filter permits access to a Web server in your LAN from the Internet. This allows the computer with the specified LAN IP address to be reached at the http port (80) directly from the Internet using the external IP address or the dynamic DNS name. Follow the instructions given in the router manual (PDF file)! You must replace the specified IP address (LAN IP adr.: 192.168.1.42) with the permanent IP address of your Web server where required, or set this address as the permanent IP address for your Web server. This filter can also be used as a template for other portmap entries (for example for an FTP server or P2P mappings). Be sure to change the port numbers (for example, 21 for FTP), the protocol (TCP/UDP) and the name in all three entries accordingly for this filter set. Filter name: Time Server This filter allows VoIP hardware, such as IP telephones, to receive the date and time settings from an external, public time server. This filter is normally de-activated and should be activated when using IP phones with corresponding functions. Filter name: Voice over IP This filter enables you to log on at an SIP provider to use Internet telephony. This filter also enables signaling (ringing for incoming calls) and exchange of voice data. The IP address (192.168.1.42) should be matched to the actual IP address to ensure that the terminal device (IP telephone, soft client) can always be reached. We recommend using set IP addresses for IP telephones. When connecting several IP telephones for use with a Sipgate account, a signaling port (5004, 5005, etc.) must be assigned to each IP telephone and this mapped accordingly to the proper IP address. See also http://www.sipgate.de/faq/index.php?aktion=anzeigen&type=devices&rubrik=660Download Driver Pack
After your driver has been downloaded, follow these simple steps to install it.
Expand the archive file (if the download file is in zip or rar format).
If the expanded file has an .exe extension, double click it and follow the installation instructions.
Otherwise, open Device Manager by right-clicking the Start menu and selecting Device Manager.
Find the device and model you want to update in the device list.
Double-click on it to open the Properties dialog box.
From the Properties dialog box, select the Driver tab.
Click the Update Driver button, then follow the instructions.
Very important: You must reboot your system to ensure that any driver updates have taken effect.
For more help, visit our Driver Support section for step-by-step videos on how to install drivers for every file type.