61

The following table is the simplified version of VOIP line/hook/etc. states during different conditions.

The following table provides the state changes during the boot-up procedure.

VOIP

Line 1/2

Hook state

WAN IP

Reg-state

FXS

Voltage

Tone

LED

Disable

On/Off-hook

UP

Idle

OFF

N/A

off

Enabled

On-hook

UP

Registered

ON

N/A

Solid

Enabled

Off-hook

UP

Registered

ON

DIAL TONE

Blink

Enabled

On/off hook

UP

Failure

OFF

N/A

off

Enabled

On/off hook

DOWN

Idle

OFF

N/A

off

VOIP

Line 1/2

WAN

Status

Hook State

Reg-state

FXS

Voltage

Tone

LED

Disable

Down

Off-hook

Idle

On-to-off

off

off

Enabled

Down

On/Off-hook

Idle

ON

Congestion

off

Enabled

Up

Off-hook

Registered

ON

Congestion.

Dial Tone

played after

the hook state

is changed.

ON

Administrator’s Handbook

62

Firewall

When you click the

Firewall

tab, the

Firewall

Status page appears. The Firewall page displays the status of your

system firewall elements.

All computer operating systems are vulnerable to attack from outside sources, typically at the operating system or

Internet Protocol (IP) layers. Stateful Inspection firewalls intercept and analyze incoming data packets to deter-

mine whether they should be admitted to your private LAN, based on multiple criteria, or blocked. Stateful inspec-

tion improves security by tracking data packets over a period of time, examining incoming and outgoing packets.

Outgoing packets that request specific types of incoming packets are tracked; only those incoming packets consti-

tuting a proper response are allowed through the firewall.

Stateful inspection is a security feature that prevents unsolicited inbound access when NAT is disabled. You can

configure UDP and TCP “no-activity” periods that will also apply to NAT time-outs if stateful inspection is enabled

on the interface. Stateful Inspection parameters are active on a WAN interface only if enabled on your system.

Stateful inspection can be enabled on a WAN interface whether NAT is enabled or not.

The center section displays the following:

The links at the top of the Firewall page access a series of pages to allow you to configure security features of

your device. The following sections give brief descriptions of these pages.

◆

“

Packet Filter

” on page

63

◆

“

NA

T/Gaming

” on page

69

◆

“

IP

Passthrough

” on page

75

◆

“

Firewall

Advanced

” on page

78

Packet Filter

May be On or Off

IP Passthrough

May be On or Off

NAT Default Server

May be On or Off

Firewall Advanced

May be On or Off

63

Link: Packet Filter

When you click the

Packet Filter

link the

Packet Filter

screen appears.

Security should be a high priority for anyone administering a network connected to the Internet. Using packet fil-

ters to control network communications can greatly improve your network’s security. The Packet Filter engine

allows creation of a maximum of eight Filtersets. Each Filterset can have up to eight rules configured.

☛

WARNING:

Before attempting to configure filters and filtersets, please read and understand this entire section

thoroughly. The Motorola Gateway incorporating NAT has advanced security features built in.

Improperly adding filters and filtersets increases the possibility of loss of communication with the

Gateway and the Internet. Never attempt to configure filters unless you are local to the Gateway.

Although using filtersets can enhance network security, there are disadvantages:

• Filters are complex. Combining them in filtersets introduces subtle interactions, increasing the like-

lihood of implementation errors.

• Enabling a large number of filters can have a negative impact on performance. Processing of pack-

ets will take longer if they have to go through many checkpoints in addition to NAT.

• Too much reliance on packet filters can cause too little reliance on other security methods. Filter-

sets are not a substitute for password protection, effective safeguarding of passwords, and general

awareness of how your network may be vulnerable.

Motorola’s packet filters are designed to provide security for the Internet connections made to and from your net-

work. You can customize the Gateway’s filtersets for a variety of packet filtering applications. Typically, you use fil-

ters to selectively admit or refuse TCP/IP connections from certain remote networks and specific hosts. You will

also use filters to screen particular types of connections. This is commonly called firewalling your network.

Before creating filtersets, you should read the next few sections to learn more about how these powerful security

tools work.

Administrator’s Handbook

64

Parts of a filter

A filter consists of criteria based on packet attributes. A typical filter can match a packet on any one of the follow-

ing attributes:

◆

The source IP address (where the packet was sent from)

◆

The destination IP address (where the packet is going)

◆

The type of higher-layer Internet protocol the packet is carrying, such as TCP or UDP

Other filter attributes

There are three other attributes to each filter:

◆

The filter’s order (i.e., priority) in the filterset

◆

Whether the filter is currently active

◆

Whether the filter is set to forward packets or to block (discard) packets

Design guidelines

Careful thought must go into designing a new filterset. You should consider the following guidelines:

◆

Be sure the filterset’s overall purpose is clear from the beginning. A vague purpose can lead to a faulty set, and

that can actually make your network less secure.

◆

Be sure each individual filter’s purpose is clear.

◆

Determine how filter priority will affect the set’s actions. Test the set (on paper) by determining how the filters

would respond to a number of different hypothetical packets.

◆

Consider the combined effect of the filters. If every filter in a set fails to match on a particular packet, the

packet is:

• Forwarded if all the filters are configured to discard (not forward)

• Discarded if all the filters are configured to forward

• Discarded if the set contains a combination of forward and discard filters

An approach to using filters

The ultimate goal of network security is to prevent unauthorized access to the network without compromising

authorized access. Using filtersets is part of reaching that goal.

Each filterset you design will be based on one of the following approaches:

◆

That which is not expressly prohibited is permitted.

◆

That which is not expressly permitted is prohibited.

It is strongly recommended that you take the latter, and safer, approach to all of your filterset designs.

65

Working with Packet Filters

To work with filters, begin by accessing the

Packet Filter

page.

Packet Filter

◆

Enable/Disable Packet Filters

– Click this button to globally turn your filters on or off.

Packet Filter Rules

Buttons:

Click either

Add a ‘Drop’ Rule

or

Add a ‘Pass’ Rule

button.

◆

Action

:

•

drop

: If you select

drop

, the specified packets will be blocked.

•

pass

: If you select

pass

, the specified packets will be forwarded.