I just got another DFL-700 Firewall for a small company, I'm impressed with this unit:
Some features I like:
Blocks items in HTTP Sessions (here is the default list) # # Example for blocking all access to a whole site: # # example.com/* # *.example.com/* # # Or, a shorter variant that runs the risk of blocking sites whose # names end with the same text: # # *example.com/* #
# I entered this so that yahoo mail would not be available mail.yahoo.com/*
# # Deny access to potentially dangerous file types: #
# Malicious executables can be downloaded by exploits*.exe *.scr *.cpl *.pif # *.com -- probably not a good idea given the .com TLD
# Malicious scripts can be downloaded by exploits*.vb *.vbd *.vbe *.vbs *.vbx *.bat *.cmd *.wsc *.wsf *.wsh *.sct
# Shell scraps can contain executables and invoke nearly any command*.shb *.shs
# Windows installer files - prevent unauthorized downloads and installs*.msi *.msp
# "HTML Applications" -- affected by vulnerabilities*.hta *.htc
# Windows media player skin file -- affected by vulnerabilities*.wms *.wmz *.wmd
# Multiple vulnerabilities use compiled HTML (chm) files, especially in conjunction with HTML Help, so block .hlp too*.chm *.hlp
# Vulnerabilities in MIDI decoders*.mid *.midi
# The Office suite has had multiple vulnerabilities over the years*.ade *.adp *.clp *.csv *.dif *.doc *.dot *.mad *.maf *.mam *.maq *.mar *.mat *.mcw *.mda *.mdb *.mde *.mdn *.mdt *.mdv *.mdw *.mst *.odc *.ofn *.pbk *.pcd *.pip *.pot *.ppa *.pps *.ppt *.ppz *.pwz *.slk # *.rtf -- can contain ms word data too though *.w51 *.w60 *.w61 *.wbk *.wiz *.wk1 *.wk3 *.wkb *.wks *.wll *.wmc *.wri *.wp *.wp4 *.wp5 *.wp6 *.wpc *.wpd *.wpf *.wpg *.wpj *.wpk *.wpm *.wpp *.wpt *.wpw *.wwl *.wwp *.wzs *.xl *.xla *.xlb *.xlc *.xld *.xlk *.xll *.xlm *.xls *.xlt *.xlv *.xlw
# "Internet Settings" files -- shouldn't come from the outside*.ins *.isp
# Outlook email/news archive file*.eml *.nws
# "Multipurpose HTML archive" -- affected by vulnerabilities*.mht *.mhtml
# HTTP-based database access -- not used by browsers*.idc *.htx
# URL/Link files have no business being downloaded by browsers*.url *.lnk
# Others*.reg *.inf
It has a whitelist filter also.
Acts as a PPTP Server with multiple users able to be setup in groups for permissions. Also does IPSec tunnels, but the PPTP Server was a very nice feature.
Has Port Mapping rules for all combinations: # LAN->WAN policy - 7 rules, NAT enabled # WAN->LAN policy - 0 rules # LAN->DMZ policy - 3 rules # DMZ->LAN policy - 0 rules # WAN->DMZ policy - 0 rules # DMZ->WAN policy - 4 rules, NAT enabled
It has a real LAN and real DMZ dedicated jacks, and each can be assigned a unique subnet and each has it's own DHCP Service!
Has DNS and DHCP relay options/settings.
Has reasonable logging features.
Oh, and it has a RADIUS Server interface ability!
All that for $350.