Page 56 / 202 Scroll up to view Page 51 - 55
Vigor2800 Series User’s Guide
50
immediately.
Pass Immediately -
Packets matching the rule will be passed
immediately.
Block If No Further Match -
A packet matching the rule, and that
does not match further rules, will be dropped.
Pass If No Further Match -
A packet matching the rule, and that
does not match further rules, will be passed through.
Branch to other Filter
Set
If the packet matches the filter rule, the next filter rule will branch
to the specified filter set. Select next filter rule to branch from the
drop-down menu.
Log
Check this box to enable the log function. Use the Telnet command
log-f
to view the logs.
Direction
Set the direction of packet flow. It is for
Data Filter
only. For the
Call Filter
, this setting is not available since
Call Filter
is only
applied to outgoing traffic.
Protocol
Specify the protocol(s) which this filter rule will apply to.
IP Address
Specify a source and destination IP address for this filter rule to
apply to. Place the symbol “!” before a specific IP Address will
prevent this rule from being applied to that IP address. To apply the
rule to all IP address, enter
any
or leave the field blank.
Subnet Mask
Select the
Subnet Mask
for the IP Address column for this filter
rule to apply from the drop-down menu.
Operator, Start Port
and End Port
The operator column specifies the port number settings. If the
Start
Port
is empty, the
Start Port
and the
End Port
column will be
ignored. The filter rule will filter out any port number.
(=)
If the End Port is empty, the filter rule will set the port
number to be the value of the Start Port. Otherwise, the port
number ranges between the Start Port and the End Port (including
the Start Port and the End Port).
(!=)
If the End Port is empty, the port number is not equal to the
value of the Start Port. Otherwise, this port number is not between
the Start Port and the End Port (including the Start Port and End
Port).
(>)
Specify the port number is larger than the Start Port (includes
the Start Port).
(<)
Specify the port number is less than the Start Port (includes the
Start Port).
Keep State
This function should work along with Direction, Protocol, IP
address, Subnet Mask, Operator, Start Port and End Port settings. It
is used for Data Filter only.
Keep State is in the same nature of modern term Stateful Packet
Inspection. It tracks packets, and accept the packets with
appropriate characteristics showing its state is legal as the protocol
defines. It will deny unsolicited incoming data. You may select
protocols from any, TCP, UDP, TCP/UDP, ICMP and IGMP.
Fragments
Specify the action for fragmented packets. And it is used for
Data
Filter
only.
Don’t care -
No action will be taken towards fragmented packets.
Unfragmented -
Apply the rule to unfragmented packets.
Page 57 / 202
Vigor2800 Series User’s Guide
51
Fragmented -
Apply the rule to fragmented packets.
Too Short -
Apply the rule only to packets that are too short to
contain a complete header.
Example
As stated before, all the traffic will be separated and arbitrated using on of two IP filters: call
filter or data filter. You may preset 12 call filters and data filters in
Filter Setup
and even
link them in a serial manner. Each filter set is composed by 7 filter rules, which can be
further defined. After that, in
General Setup
you may specify one set for call filter and one
set for data filter to execute first.
Page 58 / 202
Vigor2800 Series User’s Guide
52
3.4.4 IM Blocking
IM Blocking means instant messenger blocking.
Click
Firewall
and click
IM Blocking
to
open the setup page. You will see a list of common IM (such as MSN, Yahoo, ICQ/AQL)
applications. Check
Enable IM Blocking
and select the one(s) that you want to block. To
block selected IM applications during specific periods, enter the number of the scheduler
predefined in
Applications>>Call Schedule
.
3.4.5 P2P Blocking
P2P is the short name of peer to peer. Click
Firewall
and click
P2P Blocking
to open the
setup page. You will see a list of common P2P applications. Check
Enable P2P Blocking
and
select the one(s) to block. To block selected P2P applications during specific periods, enter the
number of the scheduler predefined in
Applications>>Schedule
.
Action
Specify the action for each protocol.
Allow –
Allow the client to access into the application through the
specified protocol.
Disallow –
Forbid the client to access into the application through the
specified protocol.
Disallow upload –
Forbid the client to access into the application through
the specified protocol for downloading. Yet uploading is allowed.
Page 59 / 202
Vigor2800 Series User’s Guide
53
3.4.6 DoS Defense
As a sub-functionality of IP Filter/Firewall, there are 15 types of detect/ defense function in
the
DoS Defense
setup. The DoS Defense functionality is disabled for default.
Click
Firewall
and click
DoS Defense
to open the setup page.
Enable Dos Defense
Check the box to activate the DoS Defense Functionality.
Enable SYN flood
defense
Check the box to activate the SYN flood defense function. Once
detecting the Threshold of the TCP SYN packets from the Internet
has exceeded the defined value, the Vigor router will start to
randomly discard the subsequent TCP SYN packets for a period
defined in Timeout. The goal for this is prevent the TCP SYN
packets’ attempt to exhaust the limited-resource of Vigor router.
By default, the threshold and timeout values are set to 50 packets
per second and 10 seconds, respectively.
Enable UDP flood
defense
Check the box to activate the UDP flood defense function. Once
detecting the Threshold of the UDP packets from the Internet has
exceeded the defined value, the Vigor router will start to randomly
discard the subsequent UDP packets for a period defined in
Timeout. The default setting for threshold and timeout are 150
packets per second and 10 seconds, respectively.
Enable ICMP flood
defense
Check the box to activate the ICMP flood defense function. Similar
to the UDP flood defense function, once if the Threshold of ICMP
packets from Internet has exceeded the defined value, the router
will discard the ICMP echo requests coming from the Internet. The
default setting for threshold and timeout are 50 packets per second
and 10 seconds, respectively.
Enable PortScan
detection
Port Scan attacks the Vigor router by sending lots of packets to
many ports in an attempt to find ignorant services would respond.
Check the box to activate the Port Scan detection. Whenever
Page 60 / 202
Vigor2800 Series User’s Guide
54
detecting this malicious exploration behavior by monitoring the
port-scanning Threshold rate, the Vigor router will send out a
warning. By default, the Vigor router sets the threshold as 150
packets per second.
Block IP options
Check the box to activate the Block IP options function. The Vigor
router will ignore any IP packets with IP option field in the
datagram header. The reason for limitation is IP option appears to
be a vulnerability of the security for the LAN because it will carry
significant information, such as security, TCC (closed user group)
parameters, a series of Internet addresses, routing messages...etc.
An eavesdropper outside might learn the details of your private
networks.
Block Land
Check the box to enforce the Vigor router to defense the Land
attacks. The Land attack combines the SYN attack technology with
IP spoofing. A Land attack occurs when an attacker sends spoofed
SYN packets with the identical source and destination addresses, as
well as the port number to victims.
Block Smurf
Check the box to activate the Block Smurf function. The Vigor
router will ignore any broadcasting ICMP echo request.
Block trace router
Check the box to enforce the Vigor router not to forward any trace
route packets.
Block SYN fragment
Check the box to activate the Block SYN fragment function. The
Vigor router will drop any packets having SYN flag and more
fragment bit set.
Block Fraggle Attack
Check the box to activate the Block fraggle Attack function. Any
broadcast UDP packets received from the Internet is blocked.
Activating the DoS/DDoS defense functionality might block some
legal packets. For example, when you activate the fraggle attack
defense, all broadcast UDP packets coming from the Internet are
blocked. Therefore, the RIP packets from the Internet might be
dropped.
Block TCP flag scan
Check the box to activate the Block TCP flag scan function. Any
TCP packet with anomaly flag setting is dropped. Those scanning
activities include
no flag scan
,
FIN without ACK scan
,
SYN FINscan
,
Xmas scan
and
full Xmas scan
.
Block Tear Drop
Check the box to activate the Block Tear Drop function. Many
machines may crash when receiving ICMP datagrams (packets) that
exceed the maximum length. To avoid this type of attack, the Vigor
router is designed to be capable of discarding any fragmented ICMP
packets with a length greater than 1024 octets.
Block Ping of Death
Check the box to activate the Block Ping of Death function. This
attack involves the perpetrator sending overlapping packets to the
target hosts so that those target hosts will hang once they
re-construct the packets. The Vigor routers will block any packets
realizing this attacking activity.
Block ICMP Fragment
Check the box to activate the Block ICMP fragment function. Any
ICMP packets with more fragment bit set are dropped.
Block Land
Check the box to enforce the Vigor router to defense the Land
attacks. The Land attack combines the SYN attack technology with

Rate

4.7 / 5 based on 3 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top