WinRoute services enable the administrator to define communication rules easily (by permitting or denying access to the Internet from the local network or by allowing access to the local network from the Internet). Services are defined by a communication protocol and by a port number (e.g. the HTTP service uses the TCP protocol with the port number 80
). You can also match so-called protocol inspector with certain service types (for details see below).
Services can be defined in Configurations → Definitions → Services. Some standard services, such as HTTP, FTP, DNS etc., are already predefined in the default WinRoute installation.
Clicking on the
or the button will open a dialog for service definition.Service identification within WinRoute. It is strongly recommended to use a concise name to keep the program easy to follow.
Comments for the service defined. It is strongly recommended describing each definition, especially with non-standard services so that there will be minimum confusion when referring to the service at a later time.
The communication protocol used by the service.
Most standard services uses the TCP or the UDP protocol, or both when they can be defined as one service with the TCP/UDP option. Other options available are ICMP and other.
The other options allows protocol specification by the number in the IP packet header. Any protocol carried in IP (e.g. GRE — protocol number is 47
) can be defined this way.
WinRoute protocol inspector (see below) that will be used for this service.
Each inspector should be used for the appropriate service only. Functionality of the service might be affected by using an inappropriate inspector.
If the TCP or UDP communication protocol is used, the service is defined with its port number. In case of standard client-server types, a server is listening for connections on a particular port (the number relates to the service), whereas clients do not know their port in advance (port are assigned to clients during connection attempts). This means that source ports are usually not specified, while destination ports are usually known in case of standard services.
Note: Specification of the source port may be important, for example during the definition of communication filter rules. For details, refer to chapter 7.3 Definition of Custom Traffic Rules.
Source and destination ports can be specified as:
Any — all the ports available (1-65535
)
Equal to —a particular port (e.g.80
)
Greater than, Less than — all ports with a number that is either greater or less than the number defined
Not equal to — all ports that are not equal to the one defined
In range — all ports that fit to the range defined (including the initial and the terminal ones)
List — list of the ports divided by commas (e.g. 80,8000,8080
)
WinRoute includes special plug-ins that monitor all traffic using application protocols, such as HTTP, FTP or others. The modules can be used to modify (filter) the communication or adapt the firewall's behavior according to the protocol type. Benefits of protocol inspectors can be better understood through the two following examples:
HTTP protocol inspector monitors traffic between clients (browsers) and Web servers. It can be used to block connections to particular pages or downloads of particular objects (i.e. images, pop-ups, etc.).
With active FTP, the server opens a data connection to the client. Under certain conditions this connection type cannot be made through firewalls, therefore FTP can only be used in passive mode. The FTP protocol inspector distinguishes that the FTP is active, opens the appropriate port and redirects the connection to the appropriate client in the local network. Due to this fact, users in the local network are not limited by the firewall and they can use both FTP modes (active/passive).
The protocol inspector is enabled if it is set in the service definition and if the corresponding traffic is allowed. Each protocol inspector applies to a specific protocol and service. In the default WinRoute configuration, all available protocol inspectors are used in definitions of corresponding services (so they will be applied to corresponding traffic automatically), except protocol inspectors for SIP and H.323 (SIP and H.323 are complex protocols and protocol inspectors may work incorrectly in some configurations).
To apply a protocol inspector explicitly to another traffic, it is necessary to define a new service where this inspector will be used or to set the protocol inspector directly in the corresponding traffic rule.
You want to perform inspection of the HTTP protocol at port 8080
. Define a new service: TCP
protocol, port 8080
, HTTP
protocol inspector. This ensures that HTTP protocol inspector will be automatically applied to any TCP traffic at port 8080
and passing through WinRoute.
Note:
Generally, protocol inspectors cannot be applied to secured traffic (SSL/TLS). In this case, WinRoute “perceives” the traffic as binary data only. This implies that such traffic cannot be deciphered.
Under certain circumstances, appliance of a protocol inspector is not desirable. Therefore, it is possible to disable a corresponding inspector temporarily. For details, refer to chapter 7.7 Partial Retirement of Protocol Inspector.