Motorola Netopia-3000 Router Manual PDF (Setup & Configuration Guide)

Page 276 / 351 Scroll up to view Page 271 - 275

276

Stateful Inspection

Stateful inspection options are accessed by the

security state-insp

tag.

set security state-insp [ ip-ppp | dsl ] vcc

n

option [ off | on ]

set security state-insp ethernet [ A | B ] option [ off | on ]

Sets the stateful inspection option

off

or

on

on the speciﬁed interface. This option is dis-

abled by default. Stateful inspection prevents unsolicited inbound access when NAT is dis-

abled.

set security state-insp [ ip-ppp | dsl ] vcc

n

default-mapping [ off | on ]

set security state-insp ethernet [ A | B ]

default-mapping [ off | on ]

Sets stateful inspection default mapping to router option

off

or

on

on the speciﬁed inter-

face.

set security state-insp [ ip-ppp | dsl ] vcc

n

tcp-seq-diff

[ 0 - 65535 ]

set security state-insp ethernet [ A | B ] tcp-seq-diff

[ 0 - 65535 ]

Sets the acceptable TCP sequence difference on the speciﬁed interface. The TCP

sequence number difference maximum allowed value is 65535. If the value of

tcp-seq-diff

is 0, it means that this check is disabled.

set security state-insp [ ip-ppp | dsl ] vcc

n

deny-fragments [ off | on ]

set security state-insp ethernet [ A | B ]

deny-fragments [ off | on ]

Sets whether fragmented packets are allowed to be received or not on the speciﬁed inter-

face.

set security state-insp tcp-timeout [ 30 - 65535 ]

Sets the stateful inspection TCP timeout interval, in seconds.

Page 277 / 351

277

CONFIG Commands

set security state-insp udp-timeout [ 30 - 65535 ]

Sets the stateful inspection UDP timeout interval, in seconds.

set security state-insp xposed-addr exposed-address# "

n

"

Allows you to add an entry to the speciﬁed list, or, if the list does not exist, creates the list

for the stateful inspection feature.

xposed-addr

settings only apply if NAT is off.

Example:

set security state-insp xposed-addr exposed-address# (?): 32

32 has been added to the

xposed-addr

list.

Sets the exposed list address number.

set security state-insp xposed-addr

exposed-address#

"

n

" start-ip

ip_address

Sets the exposed list range starting IP address, in dotted quad format.

set security state-insp xposed-addr

exposed-address#

"

n

" end-ip

ip_address

Sets the exposed list range ending IP address, in dotted quad format.

32 exposed addresses can be created. The range for exposed address numbers are from

1 through 32.

set security state-insp xposed-addr

exposed-address#

"

n

" protocol [ tcp | udp | both | any ]

Sets the protocol for the stateful inspection feature for the exposed address list. Accepted

values for

protocol

are

tcp

,

udp

,

both

, or

any

.

If

protocol

is not

any

, you can set port ranges:

Page 278 / 351

278

set security state-insp xposed-addr

exposed-address#

"

n

" start-port [ 1 - 65535 ]

set security state-insp xposed-addr

exposed-address#

"

n

" end-port [ 1 - 65535 ]

Packet Filtering Settings

Packet Filtering settings are supported beginning with Firmware Version 7.4.

Packet Filtering has two parts:

•

Create/Edit/Delete Filter Sets, create/edit/delete rules to a Filter Set.

•

Associate a created Filter Set with a WAN or LAN interface

See

“Packet Filter” on page 154

for more information.

set security pkt-ﬁlter ﬁlterset

ﬁlterset-name

[ in | out ]

index

forward [ on | off ]

Creates or edits a ﬁlter rule, specifying whether packets will be forwarded or not.

☛

NOTE:

If this is the ﬁrst rule, it will create the ﬁlter-set called

ﬁlterset-name

, other-

wise it will edit the ﬁlterset.

If the index is not consecutive, the system will select the next consecutive

index. If the index does not exist, a rule will be created. If a rule exists, the

rule will be edited.

set security pkt-ﬁlter ﬁlterset

ﬁlterset-name

[ in | out ]

index

idle-reset [ on | off ]

Turns idle reset on or off for the speciﬁed ﬁlter rule. A match on this rule resets idle-time-

out status and keeps the WAN connection alive. The default is

off

.

Page 279 / 351

279

CONFIG Commands

set security pkt-ﬁlter ﬁlterset

ﬁlterset-name

[ in | out ]

index

frc-rte [ on | off ]

Turns forced routing on or off for the speciﬁed ﬁlter rule. A match on this rule will force a

route for packets. The default is

off

.

set security pkt-ﬁlter ﬁlterset

ﬁlterset-name

[ in | out ]

index

gateway

ip_addr

Speciﬁes the gateway IP address for forced routed packets, if forced routing is enabled.

set security pkt-ﬁlter ﬁlterset

ﬁlterset-name

[ in | out ]

index

src-ip

ip_addr

Speciﬁes the source IP address to match packets (where the packet was sent from).

set security pkt-ﬁlter ﬁlterset

ﬁlterset-name

[ in | out ]

index

src-mask

mask

Speciﬁes the source IP mask to match packets (where the packet was sent from).

set security pkt-ﬁlter ﬁlterset

ﬁlterset-name

[ in | out ]

index

dest-ip

ip_addr

Speciﬁes the destination IP address to match packets (where the packet is going).

set security pkt-ﬁlter ﬁlterset

ﬁlterset-name

[ in | out ]

index

dest-mask

mask

Speciﬁes the destination IP mask to match packets (where the packet is going).

set security pkt-ﬁlter ﬁlterset

ﬁlterset-name

[ in | out ]

index

tos

value

Speciﬁes the TOS (Type Of Service) value to match packets. The value for

tos

can be from

0 – 255.

Page 280 / 351

280

set security pkt-ﬁlter ﬁlterset

ﬁlterset-name

[ in | out ]

index

tos-mask

value

Speciﬁes the TOS (Type Of Service) mask to match packets. The value for

tos-mask

can

be from 0 – 255.

set security pkt-ﬁlter ﬁlterset

ﬁlterset-name

[ in | out ]

index

protocol

value

Speciﬁes the protocol value to match packets, the type of higher-layer Internet protocol the

packet is carrying, such as TCP or UDP. The value for

protocol

can be from 0 – 255.

set security pkt-ﬁlter ﬁlterset

ﬁlterset-name

[ in | out ]

index

src-compare [ nc | ne | lt | le | eq | gt | ge ]

Sets the source compare operator action for the speciﬁed ﬁlter rule.

set security pkt-ﬁlter ﬁlterset

ﬁlterset-name

[ in | out ]

index

dst-compare [ nc | ne | lt | le | eq | gt | ge ]

Sets the destination compare operator action for the speciﬁed ﬁlter rule.

Operator

Action

nc

No compare

ne

Not equal to

lt

Less than

le

Less than or equal to

eq

Equal to

ge

Greater than or equal to

gt

Greater than

Operator

Action

nc

No compare

ne

Not equal to

lt

Less than

Rate

Popular Motorola Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share