The 2 Plus has a rule-based full-featured SPI firewall that is configured separately from the router's NAT features. And when I say separately, I mean it, since the 2 Plus does not automatically create corresponding firewall rules for things as simple as when you forward a port in the NAT section interface.
The only nod to user-friendliness here are notes on some of the NAT section pages that say you may need to create a firewall rule. This is another place where IT geeks will be comfortable with the 2 plus' way of doing things but occasional admins will just find it annoying and/or frustrating. Figure 9 is a shot of the Firewall Default Rule screen, where you can see the firewall options.
Figure 9: Firewall Default Rule screen (click image to enlarge)
The LAN to LAN / ZyWall option is used in conjunction with the IP Alias feature mentioned earlier, while the WAN to WAN / ZyWall option handles IPsec tunnel firewalling. WAN to LAN is used if you need finer control over inbound packets than basic NAT firewalling and port forwarding gives you. Finally, the LAN to WAN rules are where you set rules for what most routers refer to as Port or Application filtering.
Figure 10 shows the Edit Rule screen used for creating and editing rules. Note the simple day / time scheduling at the bottom of the screen. Not visible are other options for logging or sending an alert when a rule is matched and Permit, Deny and Drop options for rule action. Of course, if you don't see the service you want from the default pick list, you can use the Service tab to add a new one.
Figure 10: Firewall Edit Rule screen (click image to enlarge)
The Service edit screen lets you name the service and enter its port range as well as choose from TCP, UDP, TCP/UDP, ICMP and Custom (you enter the protocol number) protocols. Other Firewall section tabs let you disable DoS attack protection on the WAN and LAN interfaces, set DoS session thresholds and specify the action taken when the TCP Maximum Incomplete threshold is tripped. Ping response is controlled in the Anti-Probing section separately for LAN and WAN interfaces.
Moving on to Content Filtering, Figure 11 shows the basic options. Notable are the ability to specify a "blocked" message and redirect URL. You can also specify clients that are "exempt" from the content filter. Note that this exemption is by IP and not MAC address, so you would best assign static IPs (or reserve them using the LAN > Static DHCP feature) to any clients that you add to this list.
Figure 11: Content Filter General screen
The Categories screen (Figure 12) works in conjunction to an optional subscription based filtering service OEM'd from Bluecoat. You get a one month trial subscription with the 2 plus that you activate in the Registration page so that you can check things out.
Figure 12: Content Filter Category screen
If your filtering needs are simpler (or budget is tighter), you can use the Customization tab to create a list of "Trusted" and "Forbidden" web sites as well as keyword URL filters. I did a quick check of the keyword URL filtering and found it smart enough to block the IP address of a blocked site. Also of note is the Cache tab that provides control over how long (1-720 hours) a record of attempted visits to sites in the "Trusted" and "Forbidden" lists are kept. You also view and flush the list here.