DrayTek Vigor-2710n Router Manual PDF (Setup & Configuration Guide)

Page 146 / 335 Scroll up to view Page 141 - 145

Vigor2710 Series User’s Guide

134

Enable Open Ports

Check to enable this entry.

Comment

Make a name for the defined network application/service.

WAN IP

Specify the WAN IP address that will be used for this entry. This

setting is available when WAN IP Alias is configured.

Local Computer

Enter the private IP address of the local host or click

Choose PC

to select one.

Choose PC -

Click this button and, subsequently, a window

having a list of private IP addresses of local hosts will

automatically pop up. Select the appropriate IP address of the

local host in the list.

Protocol

Specify the transport layer protocol. It could be

TCP

,

UDP

, or

-----

(none) for selection.

Start Port

Specify the starting port number of the service offered by the

local host.

End Port

Specify the ending port number of the service offered by the local

host.

Page 147 / 335

Vigor2710 Series User’s Guide

135

4.4 Firewall

4.4.1 Basics for Firewall

While the broadband users demand more bandwidth for multimedia, interactive applications,

or distance learning, security has been always the most concerned. The firewall of the Vigor

router helps to protect your local network against attack from unauthorized outsiders. It also

restricts users in the local network from accessing the Internet. Furthermore, it can filter out

specific packets that trigger the router to build an unwanted outgoing connection.

Firewall Facilities

The users on the LAN are provided with secured protection by the following firewall

facilities:

z

User-configurable IP filter (Call Filter/ Data Filter).

z

Stateful Packet Inspection (SPI): tracks packets and denies unsolicited incoming data

z

Selectable Denial of Service (DoS) /Distributed DoS (DDoS) attacks protection

IP Filters

Depending on whether there is an existing Internet connection, or in other words “the WAN

link status is up or down”, the IP filter architecture categorizes traffic into two:

Call Filter

and

Data Filter

.

z

Call Filter -

When there is no existing Internet connection,

Call Filter

is applied to all

traffic, all of which should be outgoing. It will check packets according to the filter

rules. If legal, the packet will pass. Then the router shall

“initiate a call”

to build the

Internet connection and send the packet to Internet.

z

Data Filter

- When there is an existing Internet connection,

Data Filter

is applied to

incoming and outgoing traffic. It will check packets according to the filter rules. If legal,

the packet will pass the router.

The following illustrations are flow charts explaining how router will treat incoming traffic

and outgoing traffic respectively.

Page 148 / 335

Vigor2710 Series User’s Guide

136

Stateful Packet Inspection (SPI)

Stateful inspection is a firewall architecture that works at the network layer. Unlike legacy

static packet filtering, which examines a packet based on the information in its header,

stateful inspection builds up a state machine to track each connection traversing all interfaces

of the firewall and makes sure they are valid. The stateful firewall of Vigor router not just

examine the header information also monitor the state of the connection.

Denial of Service (DoS) Defense

The

DoS Defense

functionality helps you to detect and mitigate the DoS attack. The attacks

are usually categorized into two types, the flooding-type attacks and the vulnerability attacks.

The flooding-type attacks will attempt to exhaust all your system's resource while the

vulnerability attacks will try to paralyze the system by offending the vulnerabilities of the

protocol or operation system.

The

DoS Defense

function enables the Vigor router to inspect every incoming packet based

on the attack signature database. Any malicious packet that might duplicate itself to paralyze

the host in the secure LAN will be strictly blocked and a Syslog message will be sent as

warning, if you set up Syslog server.

Also the Vigor router monitors the traffic. Any abnormal traffic flow violating the pre-defined

parameter, such as the number of thresholds, is identified as an attack and the Vigor router

will activate its defense mechanism to mitigate in a real-time manner.

The below shows the attack types that DoS/DDoS defense function can detect:

1. SYN flood attack

2. UDP flood attack

3. ICMP flood attack

4. Port Scan attack

5. IP options

6. Land attack

7. Smurf attack

8. Trace route

9. SYN fragment

10. Fraggle attack

11. TCP flag scan

12. Tear drop attack

13. Ping of Death attack

14. ICMP fragment

15. Unknown protocol

Below shows the menu items for Firewall.

Page 149 / 335

Vigor2710 Series User’s Guide

137

4.4.2 General Setup

General Setup allows you to adjust settings of IP Filter and common options.

Here you can

enable or disable the

Call Filter

or

Data Filter

. Under some circumstance, your filter set can

be linked to work in a serial manner. So here you assign the

Start Filter Set

only. Also you

can configure the

Log Flag

settings,

Apply IP filter to VPN incoming packets

, and

Accept

incoming fragmented UDP packets

.

Click

Firewall

and click

General Setup

to open the general setup page.

Call Filter

Check

Enable

to activate the Call Filter function. Assign a

start filter set for the Call Filter.

Data Filter

Check

Enable

to activate the Data Filter function. Assign a

start filter set for the Data Filter.

Accept large incoming…

Some on-line games (for example: Half Life) will use lots of

fragmented UDP packets to transfer game data. Instinctively

as a secure firewall, Vigor router will reject these fragmented

packets to prevent attack unless you enable “

Accept large

incoming fragmented UDP or ICMP Packets

”. By checking

this box, you can play these kinds of on-line games. If

security concern is in higher priority, you cannot enable

“

Accept large incoming fragmented UDP or ICMP

Packets

”.

Enable Strict Security

Firewall

Check the box to enable such function.

All the packets, while transmitting through Vigor router, will

be filtered by firewall settings configured by Vigor router if

such feature is enabled. If the firewall system does not have

any response (pass or block) for these packets, such as no

response coming from web content filter, then the router’s

firewall will block the packets directly.

Page 150 / 335

Vigor2710 Series User’s Guide

138

Default Rule Page

Such page allows you to choose filtering profiles including QoS, Load-Balance policy, WCF,

APP Enforcement, URL Content Filter for data transmission via Vigor router.

Filter

Select

Pass

or

Block

for the packets that do not match with

the filter rules.

Sessions Control

The number typed here is the total sessions of the packets that

do not match the filter rule configured in this page. The

default setting is 12000.

Quality of Service

Choose one of the QoS rules to be applied as firewall rule.

For detailed information of setting QoS, please refer to the

related section later.

Load-Balance Policy

Choose the WAN interface for applying Load-Balance Policy.

Rate

Popular DrayTek Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share