Zyxel AMG1302-T10B Router Manual PDF (Setup & Configuration Guide)

Home

Manuals

Zyxel

AMG1302-T10B

Page 171 / 320 Scroll up to view Page 166 - 170

Chapter 14 Filters

AMG1302/AMG1202-TSeries User’s Guide

171

Destination Prefix Length

Enter the prefix length for the destination IPv6 address.

ICMPv6 Type

Select the ICMPv6 message type to filter. The following message types can be

selected:

1 / Destination Unreachable:

no route to destination; 1 -

communication with destination administratively prohibited; 3 - address

unreachable; 4 - port unreachable

2 / Packet Too Big

Time Exceeded:

0 - hop limit exceeded in transit; 1 - fragment

reassembly time exceeded

Parameter Problem

: 0 - erroneous header field encountered; 1 -

unrecognized Next Header type encountered; 2 - unrecognized IPv6 option

encountered

128

Echo Request

129 /

Echo Response

130

Listener Query -

Multicast listener query

131

Listener Report -

Multicast listener report

132

Listener Done

- Multicast listener done

143

Listener Report v2 -

Multicast listener report v2

133

Router Solicitation

134

Router Advertisement

135

Neighbor Solicitation

136

Neighbor Advertisement

137

Redirect -

Redirect message

Protocol

This is the (upper layer) protocol that defines the service to which this rule

applies. By default it is ICMPv6.

IPv6 / MAC Filter Listing

IPv6 / MAC Filter Rule Index

Select the index number of the filter set from the drop-down list box.

This is the index number of the rule in a filter set.

Active

This field shows whether the rule is activated.

Interface

This is the interface that the rule applies to.

Direction

The filter set applies to this traffic direction.

ICMPv6 Type

The ICMPv6 message type to filter.

Src IP/PrefixLength

This displays the source IPv6 address and prefix length.

Dest IP/PrefixLength

This displays the destination IPv6 address and prefix length.

Mac Address

This is the MAC address of the packets being filtered.

Protocol

This is the (upper layer) protocol that defines the service to which this rule

applies. By default it is ICMPv6.

Apply

Click this to apply your changes.

Delete

Click this to remove the filter rule.

Cancel

Click this to restore your previously saved settings.

Table 59

Security > Filter > IPv6/MAC Filter (continued)

LABEL

DESCRIPTION

Page 172 / 320

Chapter 14 Filters

AMG1302/AMG1202-TSeries User’s Guide

172

Page 173 / 320

AMG1302/AMG1202-TSeries User’s Guide

173

HAPTER

Firewall

15.1

Overview

This chapter shows you how to enable the AMG1302/AMG1202-TSeries firewall. Use the firewall to

protect your AMG1302/AMG1202-TSeries and network from attacks by hackers on the Internet and

control access to it. The firewall:

•

allows traffic that originates from your LAN computers to go to all other networks.

•

blocks traffic that originates on other networks from going to the LAN.

•

blocks SYN and port scanner attacks.

By default, the AMG1302/AMG1202-TSeries blocks DDOS, LAND and Ping of Death attacks whether

the firewall is enabled or disabled.

The following figure illustrates the firewall action. User

can initiate an IM (Instant Messaging)

session from the LAN to the WAN (1). Return traffic for this session is also allowed (2). However

other traffic initiated from the WAN is blocked (3 and 4).

Figure 80

Default Firewall Action

15.1.1

What You Can Do in the Firewall Screens

•

Use the

General

screen (

Section 15.2 on page 175

) to select the firewall protection level on the

AMG1302/AMG1202-TSeries.

•

Use the

Default Action

screen (

Section 15.3 on page 176

) to set the default action that the

firewall takes on packets that do not match any of the firewall rules.

•

Use the

Rules

screen (

Section 15.4 on page 178

) to view the configured firewall rules and add,

edit or remove a firewall rule.

•

Use the

Dos

screen (

Section 15.5 on page 184

) to set the thresholds that the AMG1302/

AMG1202-TSeries uses to determine when to start dropping sessions that do not become fully

established (half-open sessions).

WAN

LAN

Page 174 / 320

Chapter 15 Firewall

AMG1302/AMG1202-TSeries User’s Guide

174

15.1.2

What You Need to Know About Firewall

SYN Attack

A SYN attack floods a targeted system with a series of SYN packets. Each packet causes the

targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK that

follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on a backlog queue. SYN-

ACKs are moved off the queue only when an ACK comes back or when an internal timer terminates

the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests,

making the system unavailable for legitimate users.

DoS

Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the

Internet. Their goal is not to steal information, but to disable a device or network so users no longer

have access to network resources. The AMG1302/AMG1202-TSeries is pre-configured to

automatically detect and thwart all known DoS attacks.

DDoS

A Distributed DoS (DDoS) attack is one in which multiple compromised systems attack a single

target, thereby causing denial of service for users of the targeted system.

LAND Attack

In a Local Area Network Denial (LAND) attack, hackers flood SYN packets into the network with a

spoofed source IP address of the target system. This makes it appear as if the host computer sent

the packets to itself, making the system unavailable while the target system tries to respond to

itself.

Ping of Death

Ping of Death uses a "ping" utility to create and send an IP packet that exceeds the maximum

65,536 bytes of data allowed by the IP specification. This may cause systems to crash, hang or

reboot.

SPI

Stateful Packet Inspection (SPI) tracks each connection crossing the firewall and makes sure it is

valid. Filtering decisions are based not only on rules but also context. For example, traffic from the

WAN may only be allowed to cross the firewall in response to a request from the LAN.

RFC 4890 SPEC Traffic

RFC 4890 specifies the filtering policies for ICMPv6 messages.

This is important for protecting

against security threats including DoS, probing, redirection attacks and renumbering attacks that

can be carried out through ICMPv6. Since ICMPv6 error messages are critical for establishing and

maintaining communications, filtering policy focuses on ICMPv6 informational messages.

Page 175 / 320

Chapter 15 Firewall

AMG1302/AMG1202-TSeries User’s Guide

175

Anti-Probing

If an outside user attempts to probe an unsupported port on your AMG1302/AMG1202-TSeries, an

ICMP response packet is automatically returned. This allows the outside user to know the

AMG1302/AMG1202-TSeries exists. The AMG1302/AMG1202-TSeries supports anti-probing, which

prevents the ICMP response packet from being sent. This keeps outsiders from discovering your

AMG1302/AMG1202-TSeries when unsupported ports are probed.

ICMP

Internet Control Message Protocol (ICMP) is a message control and error-reporting protocol

between a host server and a gateway to the Internet. ICMP uses Internet Protocol (IP) datagrams,

but the messages are processed by the TCP/IP software and directly apparent to the application

user.

DoS Thresholds

For DoS attacks, the AMG1302/AMG1202-TSeries uses thresholds to determine when to drop

sessions that do not become fully established. These thresholds apply globally to all sessions. You

can use the default threshold values, or you can change them to values more suitable to your

security requirements.

15.2

The Firewall General Screen

Use this screen to select the firewall protection level on the AMG1302/AMG1202-TSeries. Click

Security > Firewall > General

to display the following screen.

Figure 81

Security > Firewall > General

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share