Page 61 / 139 Scroll up to view Page 56 - 60
50
Firewall Settings
Enable SPI
SPI ("stateful packet inspection" also known as "dynamic packet filtering") helps
to prevent cyber attacks by tracking more state per session. It validates that the
Page 62 / 139
51
traffic passing through that session conforms to the protocol. When the protocol
is TCP, SPI checks that packet sequence numbers are within the valid range for
the session, discarding those packets that do not have valid sequence numbers.
Whether SPI is enabled or not, the router always tracks TCP connection states
and ensures that each TCP packet's flags are valid for the current state.
NAT Endpoint Filtering
The NAT Endpoint Filtering options control how the router's NAT manages incoming
connection requests to ports that are already being used.
Endpoint Independent
Once a LAN-side application has created a connection through a specific port,
the NAT will forward any incoming connection requests with the same port to
the LAN-side application regardless of their origin. This is the least restrictive
option, giving the best connectivity and allowing some applications (P2P
applications in particular) to behave almost as if they are directly connected to
the Internet.
Address Restricted
The NAT forwards incoming connection requests to a LAN-side host only when
they come from the same IP address with which a connection was established.
This allows the remote application to send data back through a port different
from the one used when the outgoing session was created.
Port And Address Restricted
The NAT does not forward any incoming connection requests with the same
port address as an already establish connection.
Note that some of these options can interact with other port restrictions. Endpoint
Independent Filtering takes priority over inbound filters or schedules, so it is possible
for an incoming session request related to an outgoing session to enter through a
port in spite of an active inbound filter on that port. However, packets will be rejected
as expected when sent to blocked ports (whether blocked by schedule or by inbound
filter) for which there are no active sessions. Port and Address Restricted Filtering
ensures that inbound filters and schedules work precisely, but prevents some level of
connectivity, and therefore might require the use of port triggers, virtual servers, or
port forwarding to open the ports needed by the application. Address Restricted
Filtering gives a compromise position, which avoids problems when communicating
with certain other types of NAT router (symmetric NATs in particular) but leaves
inbound filters and scheduled access working as expected.
UDP Endpoint Filtering
Controls endpoint filtering for packets of the UDP protocol.
TCP Endpoint Filtering
Controls endpoint filtering for packets of the TCP protocol.
DMZ Host
DMZ means "Demilitarized Zone." If an application has trouble working from behind
Page 63 / 139
52
the router, you can expose one computer to the Internet and run the application on
that computer.
When a LAN host is configured as a DMZ host, it becomes the destination for all
incoming packets that do not match some other incoming session or rule. If any other
ingress rule is in place, that will be used instead of sending packets to the DMZ host;
so, an active session, virtual server, active port trigger, or port forwarding rule will
take priority over sending a packet to the DMZ host. (The DMZ policy resembles a
default port forwarding rule that forwards every port that is not specifically sent
anywhere else.)
The router provides only limited firewall protection for the DMZ host. The router does
not forward a TCP packet that does not match an active DMZ session, unless it is a
connection establishment packet (SYN). Except for this limited protection, the DMZ
host is effectively "outside the firewall". Anyone considering using a DMZ host should
also consider running a firewall on that DMZ host system to provide additional
protection.
Packets received by the DMZ host have their IP addresses translated from the
WAN-side IP address of the router to the LAN-side IP address of the DMZ host.
However, port numbers are not translated; so applications on the DMZ host can
depend on specific port numbers.
The DMZ capability is just one of several means for allowing incoming requests that
might appear unsolicited to the NAT. In general, the DMZ host should be used only if
there are no other alternatives, because it is much more exposed to cyber attacks
than any other system on the LAN. Thought should be given to using other
configurations instead: a virtual server, a port forwarding rule, or a port trigger. Virtual
servers open one port for incoming sessions bound for a specific application (and
also allow port redirection and the use of ALGs). Port forwarding is rather like a
selective DMZ, where incoming traffic targeted at one or more ports is forwarded to a
specific LAN host (thereby not exposing as many ports as a DMZ host). Port
triggering is a special form of port forwarding, which is activated by outgoing traffic,
and for which ports are only forwarded while the trigger is active.
Few applications truly require the use of the DMZ host. Following are examples of
when a DMZ host might be required:
A host needs to support several applications that might use overlapping
ingress ports such that two port forwarding rules cannot be used because
they would potentially be in conflict.
To handle incoming connections that use a protocol other than ICMP, TCP,
UDP, and IGMP (also GRE and ESP, when these protocols are enabled by
the PPTP and IPSec ALGs ).
Enable DMZ
Putting a computer in the DMZ may expose that computer to a
variety of security risks. Use of this option is only recommended as
a last resort.
Page 64 / 139
53
DMZ IP Address
Specify the LAN IP address of the LAN computer that you want to have
unrestricted Internet communication. If this computer obtains its address
Automatically using DHCP, then you may want to make a static reservation on
the
Basic
Network Settings
page so that the IP address of the DMZ computer
does not change.
Non-UDP/TCP/ICMP LAN Sessions
When a LAN application that uses a protocol other than UDP, TCP, or ICMP initiates
a session to the Internet, the router's NAT can track such a session, even though it
does not recognize the protocol. This feature is useful because it enables certain
applications (most importantly a single VPN connection to a remote host) without the
need for an ALG.
Note that this feature does not apply to the DMZ host (if one is enabled). The DMZ
host always handles these kinds of sessions.
Enable
Enabling this option (the default setting) enables single VPN connections to a
remote host. (But, for multiple VPN connections, the appropriate VPN ALG must
be used.) Disabling this option, however, only disables VPN if the appropriate
VPN ALG is also disabled.
Application Level Gateway (ALG) Configuration
Here you can enable or disable ALGs. Some protocols and applications require
special handling of the IP payload to make them work with network address
translation (NAT). Each ALG provides special handling for a specific protocol or
application. A number of ALGs for common applications are enabled by default.
PPTP
Allows multiple machines on the LAN to connect to their corporate networks
using PPTP protocol. When the PPTP ALG is enabled, LAN computers can
establish PPTP VPN connections either with the same or with different VPN
servers. When the PPTP ALG is disabled, the router allows VPN operation in a
restricted way -- LAN computers are typically able to establish VPN tunnels to
different VPN Internet servers but not to the same server. The advantage of
disabling the PPTP ALG is to increase VPN performance. Enabling the PPTP
ALG also allows incoming VPN connections to a LAN side VPN server (refer to
Virtual Server
).
IPSec (VPN)
Allows multiple VPN clients to connect to their corporate networks using IPSec.
Some VPN clients support traversal of IPSec through NAT. This option may
interfere with the operation of such VPN clients. If you are having trouble
connecting with your corporate network, try disabling this option.
Check with the system administrator of your corporate network whether your
VPN client supports NAT traversal.
Note that L2TP VPN connections typically use IPSec to secure the connection.
Page 65 / 139
54
To achieve multiple VPN pass-through in this case, the IPSec ALG must be
enabled.
RTSP
Allows applications that use Real Time Streaming Protocol to receive streaming
media from the internet. QuickTime and Real Player are some of the common
applications using this protocol.
Windows/MSN Messenger
Supports use on LAN computers of Microsoft Windows Messenger (the Internet
messaging client that ships with Microsoft Windows) and MSN Messenger. The
SIP ALG must also be enabled when the Windows Messenger ALG is enabled.
FTP
Allows FTP clients and servers to transfer data across NAT. Refer to the
Advanced
Virtual Server
page if you want to host an FTP server.
H.323 (Netmeeting)
Allows H.323 (specifically Microsoft Netmeeting) clients to communicate across
NAT. Note that if you want your buddies to call you, you should also set up a
virtual server for NetMeeting. Refer to the
Advanced
Virtual Server
page for
information on how to set up a virtual server.
SIP
Allows devices and applications using VoIP (Voice over IP) to communicate
across NAT. Some VoIP applications and devices have the ability to discover
NAT devices and work around them. This ALG may interfere with the operation
of such devices. If you are having trouble making VoIP calls, try turning this ALG
off.
Wake-On-LAN
This feature enables forwarding of "magic packets" (that is, specially formatted
wake-up packets) from the WAN to a LAN computer or other device that is
"Wake on LAN" (WOL) capable. The WOL device must be defined as such on
the
Advanced
Virtual Server
page. The LAN IP address for the virtual server
is typically set to the broadcast address 192.168.2.255. The computer on the
LAN whose MAC address is contained in the magic packet will be awakened.
MMS
Allows Windows Media Player, using MMS protocol, to receive streaming media
from the internet.

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top