1. Home
    2. /
  2. Manuals
    3. /
  3. Comtrend
    4. /
  4. NexusLink-5631
    5. /
  5. 25
Page 121 / 130 Scroll up to view Page 116 - 120
120
Appendix B: Firewall
Stateful Packet Inspection
Refers to an architecture, where the firewall keeps track of packets on each
connection traversing all its interfaces and makes sure they are valid. This is in
contrast to static packet filtering which only examines a packet based on the
information in the packet header.
Denial of Service attack
Is an incident in which a user or organization is deprived of the services of a
resource they would normally expect to have. Various DoS attacks the device can
withstand are: ARP Attack, Ping Attack, Ping of Death, Land, SYN Attack, Smurf
Attack and Tear Drop.
TCP/IP/Port/Interface filtering rules
These rules help in the filtering of traffic at the Network layer i.e. Layer 3.
When a Routing interface is created "Enable Firewall" must be checked.
Navigate to Advanced Setup
Æ
Security
Æ
IP Filtering, web page.
Outgoing IP Filtering:
Helps in setting rules to DROP packets from the LAN
interface. By default if Firewall is Enabled all IP traffic from LAN is allowed. By
setting up one or more filters, particular packet types coming from the LAN can be
dropped.
Filter Name:
User defined Filter Name.
Protocol:
Can take on any values from: TCP/UDP, TCP, UDP or ICMP
Source IP Address/Source Subnet Mask:
Packets with the particular “Source IP
Address/Source Subnet Mask" combination will be dropped.
Source Port:
This can take on either a single port number or a range of port
numbers. Packets having a source port equal to this value or falling within the range
of port numbers (portX : portY) will be dropped.
Page 122 / 130
121
Destination IP Address/Destination Subnet Mask:
Packets with the particular
"Destination IP Address/Destination Subnet Mask" combination will be dropped.
Destination Port:
This can take on either a single port number or a range
of port numbers. Packets having a destination port equal to this value or falling
within the range of port numbers (portX : portY) will be dropped.
Examples:
1.
Filter Name
: Out_Filter1
Protocol
: TCP
Source Address
: 192.168.1.45
Source Subnet Mask : 255.255.255.0
Source Port
: 80
Dest. Address
: NA
Dest. Sub. Mask
: NA
Dest. Port
: NA
This filter will Drop all TCP packets coming from LAN with IP Address/Sub. Mask
192.168.1.45/24 having a source port of 80 irrespective of the destination. All other
packets will be Accepted.
2.
Filter Name
: Out_Filter2
Protocol
: UDP
Source Address
: 192.168.1.45
Source Subnet Mask : 255.255.255.0
Source Port
: 5060:6060
Dest. Address
: 172.16.13.4
Dest. Sub. Mask
: 255.255.255.0
Dest. Port
: 6060:7070
This filter will drop all UDP packets coming from LAN with IP Address/Sub. Mask
192.168.1.45/24 and a source port in the range of 5060 to 6060, destined
to 172.16.13.4/24 and a destination port in the range of 6060 to 7070
Page 123 / 130
122
Incoming IP Filtering:
Helps in setting rules to ACCEPT packets from the WAN interface. By default all
incoming IP
traffic from WAN is Blocked, if the Firewall is Enabled. By setting up
one or more filters, particular packet types coming from the WAN can be Accepted.
Filter Name:
User defined Filter Name.
Protocol:
Can take on any values from: TCP/UDP, TCP, UDP or ICMP
Source IP Address/Source Subnet Mask:
Packets with the particular "Source IP
Address/Source Subnet Mask" combination will be accepted.
Source Port:
This can take on either a single port number or a range of port
numbers. Packets having a source port equal to this value or falling within the range
of port numbers (portX : portY) will be accepted.
Destination IP Address/Destination Subnet Mask:
Packets with the particular
"Destination IP Address/Destination Subnet Mask" combination will be accepted.
Destination Port:
This can take on either a single port number or a range of port
numbers. Packets having a destination port equal to this value or falling within the
range of port numbers(portX : portY) will be accepted.
The WAN interface on which these rules apply needs to be selected by the user.
Examples:
1.
Filter Name
: In_Filter1
Protocol
: TCP
Source Address
: 210.168.219.45
Source Subnet Mask
: 255.255.0.0
Source Port
: 80
Dest. Address
: NA
Dest. Sub. Mask
: NA
Dest. Port
: NA
Selected WAN interface: mer_0_35/nas_0_35
Page 124 / 130
123
This filter will ACCEPT all TCP packets coming from WAN interface
mer_0_35/nas_0_35 with IP Address/Sub. Mask 210.168.219.45/16 having a
source port of 80 irrespective of the destination. All other incoming packets on this
interface are DROPPED.
2.
Filter Name
: In_Filter2
Protocol
: UDP
Source Address
: 210.168.219.45
Source Subnet Mask
: 255.255.0.0
Source Port
: 5060:6060
Dest. Address
:192.168.1.45
Dest. Sub. Mask
: 255.255.255.0
Dest. Port
: 6060:7070
This rule will ACCEPT all UDP packets coming from WAN interface
mer_0_35/nas_0_35 with IP Address/Sub. Mask 210.168.219.45/16 and a
source port in the range of 5060 to 6060, destined to 192.168.1.45/24 and a
destination port in the range of 6060 to 7070. All other incoming packets on this
interface are DROPPED.
MAC Layer Filtering:
These rules help in the filtering of traffic at the Layer 2. MAC Filtering is only
effective on ATM PVCs configured in Bridge mode. After a Bridge mode PVC is
created, navigate to Advanced Setup
Æ
Security
Æ
MAC Filtering web page.
Global Policy:
When set to Forwarded the default filter behavior is to
Forward all MAC layer frames except those explicitly stated in the rules.
Setting it to Blocked changes the default filter behavior to Drop all
MAC layer frames except those explicitly stated in the rules.
To setup a rule:
Protocol Type:
Can be PPPoE, IPv4, IPv6, AppleTalk, IPX, NetBEUI or IGMP.
Destination MAC Address:
Of the form, XX:XX:XX:XX:XX:XX. Frames with
this particular destination address will be Forwarded/Dropped depending on
whether the Global Policy is Blocked/Forwarded.
Page 125 / 130
124
Source MAC Address:
Of the form, XX:XX:XX:XX:XX:XX. Frames with this
particular source address will be Forwarded/Dropped depending on whether the
Global Policy is Blocked/Forwarded.
Frame Direction:
LAN <=> WAN --> All Frames coming/going to/from LAN or to/from WAN.
WAN => LAN --> All Frames coming from WAN destined to LAN.
LAN => WAN --> All Frames coming from LAN destined to WAN
User needs to select the interface on which this rule is applied.
Examples:
1.
Global Policy: Forwarded
Protocol Type: PPPoE
Dest. MAC Addr: 00:12:34:56:78
Source MAC Addr: NA
Frame Direction: LAN => WAN
WAN Interface Selected: br_0_34/nas_0_34
Addition of this rule drops all PPPoE frames going from LAN-side to WAN-side with a
Dest. MAC Addr. of 00:12:34:56:78 irrespective of its Source MAC Addr. on the
br_0_34 WAN interface. All other frames on this interface are forwarded.
2.
Global Policy: Blocked
Protocol Type: PPPoE
Dest. MAC Addr: 00:12:34:56:78:90
Source MAC Addr: 00:34:12:78:90:56
Frame Direction: WAN => LAN
WAN Interface Selected: br_0_34/nas_0_34
Addition of this rule forwards all PPPoE frames going from WAN-side to LAN-side
with a Dest. MAC Addr. of 00:12:34:56:78 and Source MAC Addr. of
00:34:12:78:90:56 on the br_0_34 WAN interface. All other frames on this
interface are dropped.

Rate

4.5 / 5 based on 2 votes.

Popular Comtrend Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top