I just got another DFL-700 Firewall for a small company, I'm impressed with this unit:
Some features I like:
Blocks items in HTTP Sessions (here is the default list) # # Example for blocking all access to a whole site: # # example.com/* # *.example.com/* # # Or, a shorter variant that runs the risk of blocking sites whose # names end with the same text: # # *example.com/* #
# I entered this so that yahoo mail would not be available mail.yahoo.com/*
# # Deny access to potentially dangerous file types: #
# Malicious executables can be downloaded by exploits
*.exe *.scr *.cpl *.pif # *.com -- probably not a good idea given the .com TLD# Malicious scripts can be downloaded by exploits
*.vb *.vbd *.vbe *.vbs *.vbx *.bat *.cmd *.wsc *.wsf *.wsh *.sct# Shell scraps can contain executables and invoke nearly any command
*.shb *.shs# Windows installer files - prevent unauthorized downloads and installs
*.msi *.msp# "HTML Applications" -- affected by vulnerabilities
*.hta *.htc# Windows media player skin file -- affected by vulnerabilities
*.wms *.wmz *.wmd# Multiple vulnerabilities use compiled HTML (chm) files, especially in conjunction with HTML Help, so block .hlp too
*.chm *.hlp# Vulnerabilities in MIDI decoders
*.mid *.midi# The Office suite has had multiple vulnerabilities over the years
*.ade *.adp *.clp *.csv *.dif *.doc *.dot *.mad *.maf *.mam *.maq *.mar *.mat *.mcw *.mda *.mdb *.mde *.mdn *.mdt *.mdv *.mdw *.mst *.odc *.ofn *.pbk *.pcd *.pip *.pot *.ppa *.pps *.ppt *.ppz *.pwz *.slk # *.rtf -- can contain ms word data too though *.w51 *.w60 *.w61 *.wbk *.wiz *.wk1 *.wk3 *.wkb *.wks *.wll *.wmc *.wri *.wp *.wp4 *.wp5 *.wp6 *.wpc *.wpd *.wpf *.wpg *.wpj *.wpk *.wpm *.wpp *.wpt *.wpw *.wwl *.wwp *.wzs *.xl *.xla *.xlb *.xlc *.xld *.xlk *.xll *.xlm *.xls *.xlt *.xlv *.xlw# "Internet Settings" files -- shouldn't come from the outside
*.ins *.isp# Outlook email/news archive file
*.eml *.nws# "Multipurpose HTML archive" -- affected by vulnerabilities
*.mht *.mhtml# HTTP-based database access -- not used by browsers
*.idc *.htx# URL/Link files have no business being downloaded by browsers
*.url *.lnk# Others
*.reg *.infIt has a whitelist filter also.
Acts as a PPTP Server with multiple users able to be setup in groups for permissions. Also does IPSec tunnels, but the PPTP Server was a very nice feature.
Has Port Mapping rules for all combinations: # LAN->WAN policy - 7 rules, NAT enabled # WAN->LAN policy - 0 rules # LAN->DMZ policy - 3 rules # DMZ->LAN policy - 0 rules # WAN->DMZ policy - 0 rules # DMZ->WAN policy - 4 rules, NAT enabled
It has a real LAN and real DMZ dedicated jacks, and each can be assigned a unique subnet and each has it's own DHCP Service!
Has DNS and DHCP relay options/settings.
Has reasonable logging features.
Oh, and it has a RADIUS Server interface ability!
All that for $350.