Vigor2800 Series User’s Guide

50

immediately.

Pass Immediately -

Packets matching the rule will be passed

immediately.

Block If No Further Match -

A packet matching the rule, and that

does not match further rules, will be dropped.

Pass If No Further Match -

A packet matching the rule, and that

does not match further rules, will be passed through.

Branch to other Filter

Set

If the packet matches the filter rule, the next filter rule will branch

to the specified filter set. Select next filter rule to branch from the

drop-down menu.

Log

Check this box to enable the log function. Use the Telnet command

log-f

to view the logs.

Direction

Set the direction of packet flow. It is for

Data Filter

only. For the

Call Filter

, this setting is not available since

Call Filter

is only

applied to outgoing traffic.

Protocol

Specify the protocol(s) which this filter rule will apply to.

IP Address

Specify a source and destination IP address for this filter rule to

apply to. Place the symbol “!” before a specific IP Address will

prevent this rule from being applied to that IP address. To apply the

rule to all IP address, enter

any

or leave the field blank.

Subnet Mask

Select the

Subnet Mask

for the IP Address column for this filter

rule to apply from the drop-down menu.

Operator, Start Port

and End Port

The operator column specifies the port number settings. If the

Start

Port

is empty, the

Start Port

and the

End Port

column will be

ignored. The filter rule will filter out any port number.

(=)

If the End Port is empty, the filter rule will set the port

number to be the value of the Start Port. Otherwise, the port

number ranges between the Start Port and the End Port (including

the Start Port and the End Port).

(!=)

If the End Port is empty, the port number is not equal to the

value of the Start Port. Otherwise, this port number is not between

the Start Port and the End Port (including the Start Port and End

Port).

(>)

Specify the port number is larger than the Start Port (includes

the Start Port).

(<)

Specify the port number is less than the Start Port (includes the

Start Port).

Keep State

This function should work along with Direction, Protocol, IP

address, Subnet Mask, Operator, Start Port and End Port settings. It

is used for Data Filter only.

Keep State is in the same nature of modern term Stateful Packet

Inspection. It tracks packets, and accept the packets with

appropriate characteristics showing its state is legal as the protocol

defines. It will deny unsolicited incoming data. You may select

protocols from any, TCP, UDP, TCP/UDP, ICMP and IGMP.

Fragments

Specify the action for fragmented packets. And it is used for

Data

Filter

only.

Don’t care -

No action will be taken towards fragmented packets.

Unfragmented -

Apply the rule to unfragmented packets.

Vigor2800 Series User’s Guide

51

Fragmented -

Apply the rule to fragmented packets.

Too Short -

Apply the rule only to packets that are too short to

contain a complete header.

Example

As stated before, all the traffic will be separated and arbitrated using on of two IP filters: call

filter or data filter. You may preset 12 call filters and data filters in

Filter Setup

and even

link them in a serial manner. Each filter set is composed by 7 filter rules, which can be

further defined. After that, in

General Setup

you may specify one set for call filter and one

set for data filter to execute first.

Vigor2800 Series User’s Guide

52

3.4.4 IM Blocking

IM Blocking means instant messenger blocking.

Click

Firewall

and click

IM Blocking

to

open the setup page. You will see a list of common IM (such as MSN, Yahoo, ICQ/AQL)

applications. Check

Enable IM Blocking

and select the one(s) that you want to block. To

block selected IM applications during specific periods, enter the number of the scheduler

predefined in

Applications>>Call Schedule

.

3.4.5 P2P Blocking

P2P is the short name of peer to peer. Click

Firewall

and click

P2P Blocking

to open the

setup page. You will see a list of common P2P applications. Check

Enable P2P Blocking

and

select the one(s) to block. To block selected P2P applications during specific periods, enter the

number of the scheduler predefined in

Applications>>Schedule

.

Action

Specify the action for each protocol.

Allow –

Allow the client to access into the application through the

specified protocol.

Disallow –

Forbid the client to access into the application through the

specified protocol.

Disallow upload –

Forbid the client to access into the application through

the specified protocol for downloading. Yet uploading is allowed.

Vigor2800 Series User’s Guide

53

3.4.6 DoS Defense

As a sub-functionality of IP Filter/Firewall, there are 15 types of detect/ defense function in

the

DoS Defense

setup. The DoS Defense functionality is disabled for default.

Click

Firewall

and click

DoS Defense

to open the setup page.

Enable Dos Defense

Check the box to activate the DoS Defense Functionality.

Enable SYN flood

defense

Check the box to activate the SYN flood defense function. Once

detecting the Threshold of the TCP SYN packets from the Internet

has exceeded the defined value, the Vigor router will start to

randomly discard the subsequent TCP SYN packets for a period

defined in Timeout. The goal for this is prevent the TCP SYN

packets’ attempt to exhaust the limited-resource of Vigor router.

By default, the threshold and timeout values are set to 50 packets

per second and 10 seconds, respectively.

Enable UDP flood

defense

Check the box to activate the UDP flood defense function. Once

detecting the Threshold of the UDP packets from the Internet has

exceeded the defined value, the Vigor router will start to randomly

discard the subsequent UDP packets for a period defined in

Timeout. The default setting for threshold and timeout are 150

packets per second and 10 seconds, respectively.

Enable ICMP flood

defense

Check the box to activate the ICMP flood defense function. Similar

to the UDP flood defense function, once if the Threshold of ICMP

packets from Internet has exceeded the defined value, the router

will discard the ICMP echo requests coming from the Internet. The

default setting for threshold and timeout are 50 packets per second

and 10 seconds, respectively.

Enable PortScan

detection

Port Scan attacks the Vigor router by sending lots of packets to

many ports in an attempt to find ignorant services would respond.

Check the box to activate the Port Scan detection. Whenever

Vigor2800 Series User’s Guide

54

detecting this malicious exploration behavior by monitoring the

port-scanning Threshold rate, the Vigor router will send out a

warning. By default, the Vigor router sets the threshold as 150

packets per second.

Block IP options

Check the box to activate the Block IP options function. The Vigor

router will ignore any IP packets with IP option field in the

datagram header. The reason for limitation is IP option appears to

be a vulnerability of the security for the LAN because it will carry

significant information, such as security, TCC (closed user group)

parameters, a series of Internet addresses, routing messages...etc.

An eavesdropper outside might learn the details of your private

networks.

Block Land

Check the box to enforce the Vigor router to defense the Land

attacks. The Land attack combines the SYN attack technology with

IP spoofing. A Land attack occurs when an attacker sends spoofed

SYN packets with the identical source and destination addresses, as

well as the port number to victims.

Block Smurf

Check the box to activate the Block Smurf function. The Vigor

router will ignore any broadcasting ICMP echo request.

Block trace router

Check the box to enforce the Vigor router not to forward any trace

route packets.

Block SYN fragment

Check the box to activate the Block SYN fragment function. The

Vigor router will drop any packets having SYN flag and more

fragment bit set.

Block Fraggle Attack

Check the box to activate the Block fraggle Attack function. Any

broadcast UDP packets received from the Internet is blocked.

Activating the DoS/DDoS defense functionality might block some

legal packets. For example, when you activate the fraggle attack

defense, all broadcast UDP packets coming from the Internet are

blocked. Therefore, the RIP packets from the Internet might be

dropped.

Block TCP flag scan

Check the box to activate the Block TCP flag scan function. Any

TCP packet with anomaly flag setting is dropped. Those scanning

activities include

no flag scan

,

FIN without ACK scan

,

SYN FINscan

,

Xmas scan

and

full Xmas scan

.

Block Tear Drop

Check the box to activate the Block Tear Drop function. Many

machines may crash when receiving ICMP datagrams (packets) that

exceed the maximum length. To avoid this type of attack, the Vigor

router is designed to be capable of discarding any fragmented ICMP

packets with a length greater than 1024 octets.

Block Ping of Death

Check the box to activate the Block Ping of Death function. This

attack involves the perpetrator sending overlapping packets to the

target hosts so that those target hosts will hang once they

re-construct the packets. The Vigor routers will block any packets

realizing this attacking activity.

Block ICMP Fragment

Check the box to activate the Block ICMP fragment function. Any

ICMP packets with more fragment bit set are dropped.

Block Land

Check the box to enforce the Vigor router to defense the Land

attacks. The Land attack combines the SYN attack technology with