Block Fragmented IP

packets

Prevents all fragmented IP packets from passing through

the firewall.

IP Flood Detection

Detects and blocks packet floods originating on both the

LAN and WAN.

Firewall Protection

Turns on the Stateful Packet Inspection (SPI) firewall

features.

Note:

Java applets, ActiveX controls, and popup windows function filtering will fail if the

web pages are sent in uncompressed format to the web browser.

Local Log

The Local Log page allows you to configure firewall event log reporting via email alerts. Individual

emails can be sent out automatically each time the firewall is under attack. A local log is also stored

within the modem and displayed within this page.

To access the

Local Log

page:

1

Click

Firewall

in the menu bar.

2

Then click the

Local Log

submenu.

Figure 23 shows an example of the menu and Table 17 describes the items you can select.

To enable the automatic email alerts:

1

Configure the email address you want to send alerts to. You also need to configure the email

account you will send from (this may be the same account). This includes the SMTP (outgoing)/

mail server address, together with username and password. You may need to contact your service

provider to find the information.

2

Check the

Enable

box and click the Apply button.

56

Figure 23. Example of Remote Log Page

Table 17. Local Log Menu Option

Option

Description

Contact Email

Address

Enter the email address where you want to receive the alert email.

SMTP Server

Name

Enter the SMTP (Outgoing) mail server address of the email account you will

send from.

SMTP Username

Enter the username of the email account you will send from.

SMTP Password

Enter the password of the email account you will send from.

E-mail Alerts

Check to enable sending alert email, when an attack is detected.

Remote Log

The Remote Log page allows you to send firewall attack reports to a standard SysLog server. It is

useful to log volumes of instances over a long period of time. Individual attack or configuration items

can be selected that will be sent to the SysLog server so that only the items of interest can be

monitored. Permitted connections, blocked connections, known Internet attack types, and cable

modem/router configuration events can also be logged. The SysLog server must be on the same

subnet as the Private LAN behind the cable modem/router (typically 192.168.0.x).

57

To access the

Remote Log

page:

1

Click

Firewall

in the menu bar.

2

Then click the

Remote Log

submenu.

Figure 24 shows an example of the menu and Table 18 describes the items you can select.

Figure 24. Example of Remote Log Page

Below is a complete list of the capable SysLog server attack/notification types and their format. The

generic format of sysLog messages for traffic or administration-related events is:

MMM DD HH:MM:SS YYYY SYSLOG[0]: [Host HostIP] Protocol SourceIP,SourcePort -->

DestIP,DestPort EventText

58

Table 18. SysLog Server Event Format

Parameter

Description

MMM

The three-letter abbreviation for the month (e.g., JUN, JUL AUG, etc.)

DD

The two-digit day of the month (e.g., 01, 02, 03, etc.)

HH:MM:SS

The time displayed as two-digit values for the hour, minute, and second,

respectively.

YYYY

The four-digit year.

HostIP

The IP address of cable modem/router sending the SysLog event. This is the

LAN IP Address on the Basic - Setup page.

Protocol

Can be one of the following: “TCP”, “UDP”, “ICMP”, “IGMP” or

“OTHER”. In the case of “OTHER” the protocol type is displayed in

parentheses (). For ICMP packets, the ICMP type is displayed in parentheses.

SourceIP

The IP address of the originator of the session/packet.

SourcePort

The source port at the originator.

DestIP

The IP address of the recipient of the session/packet.

DestPort

The destination port at the recipient.

EventText

A textual description of the event.

The format of SysLog messages for informational events is simplified:

MMM DD HH:MM:SS YYYY SYSLOG[0]: [Host HostIP] EventText

59

The table below lists all events that can be sent to the SysLog server.

Table 19. SysLog Server Event and Meaning

Event Text

Meaning

ALLOW: Inbound access

request

An inbound request was made, and accepted, from a public

network client to use a service hosted on the firewall or a client

behind the firewall.

ALLOW: Outbound access

request

An outbound request was made, and accepted, from a public client

to use a service hosted on a public network server.

DENY: Inbound or

outbound access request

A request to traverse the firewall by a public or private client

violated the security policy, and was blocked.

DENY: Firewall interface

access request

A request was made to the public or private firewall interface by a

public or private client that violated the security policy, and was

blocked.

FAILURE: User interface

login (Invalid username or

password)

An attempt was made to login to the user interface, and access was

denied because the username and/or password was incorrect.

SUCCESS: User interface

login

An attempt was made to login to the user interface, and access was

allowed.

ALLOW: User interface

access [request]

An HTTP GET or POST request was made by an authenticated

user to the user interface.

DENY: Inbound or

outbound [internet attack

name] attack

A known internet attack was detected attempting to traverse the

firewall, and was blocked. Examples of known internet attacks are

Ping Of Death, Teardrop, WinNuke, XmasTree, SYN Flood, etc.

DENY: Firewall interface

[internet attack name]

attack

A known internet attack directed at the firewall itself was detected

and blocked. Examples of known internet attacks are Ping Of

Death, Teardrop, WinNuke, XmasTree, SYN Flood, etc.

Firewall Up

The public interface (WAN) connection is up, and the firewall has

begun to police traffic, or the firewall was previously disabled, and

the user has enabled it through the user interface.

Remote config management

enabled [port#]

Remote configuration management (via HTTP through the

specified port # on the public interface) has been enabled via the

user interface.

Remote config management

disabled

Remote configuration management has been disabled via the user

interface.

60