WinRoute services enable the administrator to define communication rules easily (by permitting or denying access to the Internet from the local network or by allowing access to the local network from the Internet). Services are defined by a communication protocol and by a port number (e.g. the HTTP service uses the TCP protocol with the port number 80). You can also match so-called protocol inspector with certain service types (for details see below).
Services can be defined in Configurations / Definitions / Services. Some standard services, such as HTTP, FTP, DNS etc., are already predefined in the default WinRoute installation.
Clicking on the Add or the Edit button will open a dialog for service definition.
- Name
Service identification within WinRoute. It is strongly recommended to use a concise name to keep the program easy to follow.
- Protocol
The communication protocol used by the service.
Most standard services uses the TCP or the UDP protocol, or both when they can be defined as one service with the TCP/UDP option.
The option other enables the administrator to specify a protocol using the number contained in its IP packet header. Any protocol carried in IP (e.g. GRE — protocol number is 47) can be defined this way.
- Protocol Inspector
WinRoute protocol inspector (see below) that will be used for this service.
Warning: Each inspector should be used for the appropriate service only.
- Source Port and Destination Port
If the TCP or UDP communication protocol is used, the service is defined with its port number. In case of standard client-server types, a server is listening for connections on a particular port (the number relates to the service), whereas clients do not know their port in advance (port are assigned to clients during connection attempts). This means that source ports are usually not specified, while destination ports are usually known in case of standard services.
Note: Specification of the source port may be important, for example during the definition of communication filter rules. For more information go to chapter 5.2.
Source and destination ports can be specified as:
Any — all the ports available (1-65535)
Equal to —a particular port (e.g.80)
Greater than, Less than — all ports with a number that is either greater or less than the number defined
Not equal to — all ports that are not equal to the one defined
In range — all ports that fit to the range defined (including the initial and the terminal ones)
List — list of the ports divided by comas (e.g. 80,8000,8080)
- Description
Comments for the service defined. It is strongly recommended describing each definition, especially with non-standard services so that there will be minimum confusion when referring to the service at a later time.
WinRoute includes special plug-ins that monitor all traffic using application protocols, such as HTTP, FTP or others. The modules can be used to modify (filter) the communication or adapt the firewall's behavior according to the protocol type. Benefits of protocol inspectors can be better understood through the two following examples:
HTTP protocol inspector monitors traffic between clients (browsers) and Web servers. It can be used to block connections to particular pages or downloads of particular objects (i.e. images, pop-ups, etc.).
With active FTP, the server opens a data connection to the client. Under certain conditions this connection type cannot be made through firewalls, therefore FTP can only be used in passive mode. The FTP protocol inspector distinguishes that the FTP is active, opens the appropriate port and redirects the connection to the appropriate client in the local network. Due to this fact, users in the local network are not limited by the firewall and they can use both FTP modes (active/passive).
A protocol inspector is active if it is included in a service that is used in a traffic rule. If a rule for any service is defined, all WinRoute's protocol inspectors that meet this rule will be activated automatically.
Note: Protocol inspectors recognize application protocols through transport layer protocols (TCP or UDP) and the number of the port that is used by the appropriate service. If a service is running at a non-standard port (i.e. HTTP on port number 8080), the protocol inspector will not be used. In this case you could create a custom service for port 8080 which uses the HTTP protocol inspector.