1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. AMG1302-T10B
    5. /
  5. 38
Page 186 / 320 Scroll up to view Page 181 - 185
Chapter 15 Firewall
AMG1302/AMG1202-TSeries User’s Guide
186
The following table describes the labels in this screen.
15.6
Firewall Technical Reference
This section provides some technical background information about the topics covered in this
chapter.
15.6.1
Firewall Rules Overview
Your customized rules take precedence and override the AMG1302/AMG1202-TSeries’s default
settings. The AMG1302/AMG1202-TSeries checks the source IP address, destination IP address and
IP protocol type of network traffic against the firewall rules (in the order you list them). When the
traffic matches a rule, the AMG1302/AMG1202-TSeries takes the action specified in the rule.
Firewall rules are grouped based on the direction of travel of packets to which they apply:
Note: The LAN includes both the LAN port and the WLAN.
By default, the AMG1302/AMG1202-TSeries’s stateful packet inspection allows packets traveling in
the following directions:
LAN to Router
These rules specify which computers on the LAN can manage the AMG1302/AMG1202-TSeries
(remote management).
Note: You can also configure the remote management settings to allow only a specific
computer to manage the AMG1302/AMG1202-TSeries.
Table 67
Security > Firewall > DoS > Advanced
LABEL
DESCRIPTION
TCP SYN-Request
Count
This is the rate of new TCP half-open sessions per second that causes the firewall to
start deleting half-open sessions. When the rate of new connection attempts rises
above this number, the AMG1302/AMG1202-TSeries deletes half-open sessions as
required to accommodate new connection attempts.
UDP Packet Count
This is the rate of new UDP half-open sessions per second that causes the firewall to
start deleting half-open sessions. When the rate of new connection attempts rises
above this number, the AMG1302/AMG1202-TSeries deletes half-open sessions as
required to accommodate new connection attempts.
ICMP Echo-Request
Count
This is the rate of new ICMP Echo-Request half-open sessions per second that causes
the firewall to start deleting half-open sessions. When the rate of new connection
attempts rises above this number, the AMG1302/AMG1202-TSeries deletes half-open
sessions as required to accommodate new connection attempts.
Back
Click this button to return to the previous screen.
Apply
Click this to save your changes.
Cancel
Click this to restore your previously saved settings.
LAN to Router
WAN to LAN
LAN to WAN
WAN to Router
Page 187 / 320
Chapter 15 Firewall
AMG1302/AMG1202-TSeries User’s Guide
187
LAN to WAN
These rules specify which computers on the LAN can access which computers or services on the
WAN.
By default, the AMG1302/AMG1202-TSeries’s stateful packet inspection drops packets traveling in
the following directions:
WAN to LAN
These rules specify which computers on the WAN can access which computers or services on the
LAN.
Note: You also need to configure NAT port forwarding (or full featured NAT address
mapping rules) to allow computers on the WAN to access devices on the LAN.
WAN to Router
By default the AMG1302/AMG1202-TSeries stops computers on the WAN from managing the
AMG1302/AMG1202-TSeries. You could configure one of these rules to allow a WAN computer to
manage the AMG1302/AMG1202-TSeries.
Note: You also need to configure the remote management settings to allow a WAN
computer to manage the AMG1302/AMG1202-TSeries.
You may define additional rules and sets or modify existing ones but please exercise extreme
caution in doing so.
For example, you may create rules to:
Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the Internet.
Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts
on the Internet to specific hosts on the LAN.
Allow everyone except your competitors to access a web server.
Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by comparing the source IP address, destination IP address and IP
protocol type of network traffic to rules set by the administrator. Your customized rules take
precedence and override the AMG1302/AMG1202-TSeries’s default rules.
15.6.2
Guidelines For Enhancing Security With Your Firewall
6
Change the default password via web configurator.
7
Think about access control before you connect to the network in any way.
8
Limit who can access your router.
9
Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled service could
present a potential security risk. A determined hacker might be able to find creative ways to misuse
the enabled services to access the firewall or the network.
10
For local services that are enabled, protect against misuse. Protect by configuring the services to
communicate only with specific peers, and protect by configuring rules to block packets for the
services at specific interfaces.
Page 188 / 320
Chapter 15 Firewall
AMG1302/AMG1202-TSeries User’s Guide
188
11
Protect against IP spoofing by making sure the firewall is active.
12
Keep the firewall in a secured (locked) room.
15.6.3
Security Considerations
Note: Incorrectly configuring the firewall may block valid access or introduce security
risks to the AMG1302/AMG1202-TSeries and your protected network. Use caution
when creating or deleting firewall rules and test your rules after you configure
them.
Consider these security ramifications before creating a rule:
1
Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC
is blocked, are there users that require this service?
2
Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will
a rule that blocks just certain users be more effective?
3
Does a rule that allows Internet users access to resources on the LAN create a security
vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN,
Internet users may be able to connect to computers with running FTP servers.
4
Does this rule conflict with any existing rules?
Once these questions have been answered, adding rules is simply a matter of entering the
information into the correct fields in the web configurator screens.
15.6.4
Triangle Route
When the firewall is on, your AMG1302/AMG1202-TSeries acts as a secure gateway between your
LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic
passes through the AMG1302/AMG1202-TSeries to protect your LAN against attacks.
Figure 90
Ideal Firewall Setup
15.6.4.1
The “Triangle Route” Problem
A traffic route is a path for sending or receiving data packets between two Ethernet devices. You
may have more than one connection to the Internet (through one or more ISPs). If an alternate
gateway is on the LAN (and its IP address is in the same subnet as the AMG1302/AMG1202-
TSeries’s LAN IP address), the “triangle route” (also called asymmetrical route) problem may occur.
The steps below describe the “triangle route” problem.
1
2
WAN
LAN
Page 189 / 320
Chapter 15 Firewall
AMG1302/AMG1202-TSeries User’s Guide
189
1
A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on
the WAN.
2
The AMG1302/AMG1202-TSeries reroutes the SYN packet through Gateway
A
on the LAN to the
WAN.
3
The reply from the WAN goes directly to the computer on the LAN without going through the
AMG1302/AMG1202-TSeries.
As a result, the AMG1302/AMG1202-TSeries resets the connection, as the connection has not been
acknowledged.
Figure 91
“Triangle Route” Problem
15.6.4.2
Solving the “Triangle Route” Problem
If you have the AMG1302/AMG1202-TSeries allow triangle route sessions, traffic from the WAN can
go directly to a LAN computer without passing through the AMG1302/AMG1202-TSeries and its
firewall protection.
Another solution is to use IP alias. IP alias allows you to partition your network into logical sections
over the same Ethernet interface. Your AMG1302/AMG1202-TSeries supports up to three logical
LAN interfaces with the AMG1302/AMG1202-TSeries being the gateway for each logical network.
It’s like having multiple LAN networks that actually use the same physical cables and ports. By
putting your LAN and Gateway
A
in different subnets, all returning network traffic must pass
through the AMG1302/AMG1202-TSeries to your LAN. The following steps describe such a scenario.
1
A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the
WAN.
2
The AMG1302/AMG1202-TSeries
reroutes the packet to Gateway A, which is in Subnet 2.
3
The reply from the WAN goes to the AMG1302/AMG1202-TSeries.
4
The AMG1302/AMG1202-TSeries then sends it to the computer on the LAN in Subnet 1.
1
2
3
WAN
LAN
A
ISP 1
ISP 2
Page 190 / 320
Chapter 15 Firewall
AMG1302/AMG1202-TSeries User’s Guide
190
Figure 92
IP Alias
1
2
3
LAN
A
ISP 1
ISP 2
4
WAN
Subnet 1
Subnet 2

Rate

3.7 / 5 based on 3 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top