Firewall, Port Mapping & Filters
Although the FVS318 and FR114P's firewalls are both SPI-based, the 114P's firewall has a very different, and more flexible, interface than the 318's. The 114P uses a Rules and Services model, which is used to control all port usage through the firewall.
Figure 1: Firewall Rules
(click on the image for a full-sized view)
Outbound Service rules (commonly known as Port Filters), are used to specify a range of ports, i.e. a service, that are either allowed or blocked from a range of LAN IP addresses to a range of WAN (Internet) IP addresses.
Figure 2: Outbound Services
(click on the image for a full-sized view)
Inbound Services (usually known as Port Forwarding), have the same configuration features as Outbound Services, but are used to allow access to servers on your LAN that are behind the 114P's firewall. Note that server "loopback" is supported for Inbound Services.
The 114P comes with service definitions for commonly used services such as HTTP (Web), FTP, and others, which you can pick from a drop-down list. When you need a service that's not pre-defined, you can add it via the Custom Services screen, shown below.
Figure 3: Custom Service
(click on the image for a full-sized view)
Rules have a few other handy features. Although both Inbound and Outbound rules are schedulable as shown below, there is only one schedule, which can be applied on a rule by rule basis. You can also control the logging of each rule with selections of Never, Always, Match, and Not Match, as well as the order of precedence for rules in both directions. But note that there is no ability to set an outbound trigger port for the Inbound Services... the service mappings are static only.
Figure 4: Rule Scheduling
(click on the image for a full-sized view)
As with the FVS318, you can exert finer control (than blocking all access with Outbound Services) over the websites that your users visit via the Block Sites feature. But in the 114P's case, the Block Sites feature is not schedulable, and applies to websites only (vs. websites and newsgroups). You can still enter one "Trusted" IP address that will get unfiltered Internet access, however.