Firewall Features, Continued
The other major function a router's firewall performs is to control access to content and applications, and the 4300 has a few tricks up its sleeve in that department. But you'll need to pay attention when using these controls or you may spend some time scratching your head trying to figure out why your Internet access has been cut off. The Access Control feature is whitelist only, so when you enable it, it disables all Internet access except that which you define rules for. Rules must be defined for each client IP address, so rule definition can get tedious. And since you get only 25 rules, you might run out if you have a lot of clients to control. At least you get a pick list of active client IP addresses with host name to help speed things along.
Figure 8: Access Control rule
(click image to enlarge)
Figure 8 shows an example Access Control rule definition that I created. Note the options of applying the Web Filter feature (more on that shortly), logging access and filtering ports. However, the Help and User Manual descriptions of this feature had me thinking it worked the opposite way that it did. What I found is that any rules you enter in the Filter Ports section will be used to block those services, not enable them. So you only need to use the Filter Ports section if you want to restrict access to specific ports (services).
The Web Filter control lets you enter up to 100 domains that will be used by the Access Control feature. Note that this "Filter" is a white, i.e. allow, list which confused me because its name implies the opposite action. But if I had read the online help or User guide, or even looked at the title of the list itself (Allowed Web Site List) I would have saved myself some time, since it's properly documented.
When I checked it out, I found the Web Filter was smart enough to not be bypassed by using a website's IP address because it does a DNS lookup of any entries. But it's a little too "smart" because it will block access to a page in the Allowed Site list if that page accesses a server in an unlisted domain as part of its page load process. Since it's a pretty common occurance for a site to use third-party ad servers in an assortment of domains, you may find that the Web Filter has limited practical use.
The last access control is the MAC Address Filter. It works like other MAC address filters that you find on wireless routers, except that the 4300's filter can control whether wireless and wired clients can connect to the router. As Figure 9 shows, the filter conveniently presents a pick list of current clients to help you along and can be set to allow or deny access to the clients you enter.
Figure 9: MAC address filtering
(click image to enlarge)
But, as a close look at Figure 9 will reveal, the feature is buggy. I found that I could get the list into both allow and deny modes by repeated application (save and reboot) of the mode that I wanted, but that the information in the filter's admin interface would not properly reflect what the 4300 was actually doing.