Firewall Features, Continued
One thing the ACL rules don't do is content filtering, which is instead handled by the relatively crude URL Filter feature (Figure 9).
Figure 9: URL Filter
You get only ten 15 character keywords to use as filters and, once programmed, filters can be edited and deleted but not disabled. When the filter is tripped, you get an "Access Denied by ASUSTeK Internet Security Router" screen. The keywords are broad in that the filter will kick in if the keyword string is found anywhere in the URL. But I found that the filters can be easily bypassed by anyone savvy enough to look up and enter the IP address of the desired site instead of its URL.
The SL1000's DoS Attack Filter settings expose the controls for its SPI features. The Help button brings up short, but informative descriptions of each of the controls, with most of them disabled by default as shown in Figure10.
Figure 10: DoS Attack Filter setup
The only "exploit" that I tried was a port scan of the SL1000's WAN, which was logged in short order.
Even with this overflowing basket of features, there are still some tricks the SL1000's firewall won't perform. UPnP isn't supported (no loss in my book) nor is server loopback, i.e. the ability to access port-mapped servers by their WAN IP (or assigned domain name) from LAN-side clients, supported either.
On the usability side of things, It would be nice to be able to disable the ACL rules and leave them programmed instead of having to delete them. A confirmation step before rules are deleted would be helpful, too.
Navigating your way through this maze of selections takes some getting used to. One of the things I didn't like is that you have to specify the WAN IP of the router as the Destination IP for Inbound ACL's. Since most ISPs assign dynamic IP addresses, inbound rules could stop working when the SL1000 renews its DHCP lease or logs into a PPPoE connection. It would be much better if you could just specify the WAN port instead of a specific IP address.
To their credit, ASUS tries to help with descriptions and examples of each feature in its printed User Guide. There's also online help available which, in some cases, I found more helpful than some of the printed material. ASUS tells me that they're also busy compiling application notes and a FAQ guide, which they plan to have available when the SL1000 starts shipping.