1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-2602HW-D1A
    5. /
  5. 42
Page 206 / 427 Scroll up to view Page 201 - 205
P-2602H(W)(L)-DxA Series User’s Guide
206
Chapter 14 Firewall Configuration
Figure 111
Firewall Example: Edit Rule: Select Customized Services
On completing the configuration procedure for this Internet firewall rule, the
Rules
screen
should look like the following.
Rule 1 allows a “MyService” connection from the WAN to IP addresses 10.0.0.10 through
10.0.0.15 on the LAN.
Page 207 / 427
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 14 Firewall Configuration
207
Figure 112
Firewall Example: Rules: MyService
14.8
DoS Thresholds
For DoS attacks, the ZyXEL Device uses thresholds to determine when to drop sessions that
do not become fully established. These thresholds apply globally to all sessions.
You can use the default threshold values, or you can change them to values more suitable to
your security requirements.
Refer to
Section 14.8.3 on page 209
to configure thresholds.
14.8.1
Threshold Values
Tune these parameters when something is not working and after you have checked the firewall
counters. These default values should work fine for most small offices. Factors influencing
choices for threshold values are:
The maximum number of opened sessions.
The minimum capacity of server backlog in your LAN network.
The CPU power of servers in your LAN network.
Network bandwidth.
Type of traffic for certain servers.
If your network is slower than average for any of these factors (especially if you have servers
that are slow or handle many tasks and are often busy), then the default values should be
reduced.
Page 208 / 427
P-2602H(W)(L)-DxA Series User’s Guide
208
Chapter 14 Firewall Configuration
You should make any changes to the threshold values before you continue configuring
firewall rules.
14.8.2
Half-Open Sessions
An unusually high number of half-open sessions (either an absolute number or measured as
the arrival rate) could indicate that a Denial of Service attack is occurring. For TCP, "half-
open" means that the session has not reached the established state-the TCP three-way
handshake has not yet been completed (see
Figure 99 on page 184
). For UDP, "half-open"
means that the firewall has detected no return traffic.
The ZyXEL Device measures both the total number of existing half-open sessions and the rate
of session establishment attempts. Both TCP and UDP half-open sessions are counted in the
total number and rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (
max-incomplete
high
), the ZyXEL Device starts deleting half-open sessions as required to accommodate new
connection requests. The ZyXEL Device continues to delete half-open requests as necessary,
until the number of existing half-open sessions drops below another threshold (
max-
incomplete low
).
When the rate of new connection attempts rises above a threshold (
one-minute high
), the
ZyXEL Device starts deleting half-open sessions as required to accommodate new connection
requests. The ZyXEL Device continues to delete half-open sessions as necessary, until the rate
of new connection attempts drops below another threshold (
one-minute low
). The rate is the
number of new attempts detected in the last one-minute sample period.
14.8.2.1
TCP Maximum Incomplete and Blocking Time
An unusually high number of half-open sessions with the same destination host address could
indicate that a Denial of Service attack is being launched against the host.
Whenever the number of half-open sessions with the same destination host address rises above
a threshold (
TCP Maximum Incomplete
), the ZyXEL Device starts deleting half-open
sessions according to one of the following methods:
If the
Blocking Time
timeout is 0 (the default), then the ZyXEL Device deletes the oldest
existing half-open session for the host for every new connection request to the host. This
ensures that the number of half-open sessions to a given host will never exceed the
threshold.
If the
Blocking Time
timeout is greater than 0, then the ZyXEL Device blocks all new
connection requests to the host giving the server time to handle the present connections.
The ZyXEL Device continues to block all new connection requests until the
Blocking
Time
expires.
Page 209 / 427
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 14 Firewall Configuration
209
14.8.3
Configuring Firewall Thresholds
The ZyXEL Device also sends alerts whenever
TCP Maximum Incomplete
is exceeded. The
global values specified for the threshold and timeout apply to all TCP connections.
Click
Firewall
, and
Threshold
to bring up the next screen.
Figure 113
Firewall: Threshold
The following table describes the labels in this screen.
Table 75
Firewall: Threshold
LABEL
DESCRIPTION
DEFAULT VALUES
Denial of Service
Thresholds
One Minute Low
This is the rate of new half-open sessions that
causes the firewall to stop deleting half-open
sessions. The ZyXEL Device continues to
delete half-open sessions as necessary, until
the rate of new connection attempts drops
below this number.
80 existing half-open sessions.
One Minute High
This is the rate of new half-open sessions that
causes the firewall to start deleting half-open
sessions. When the rate of new connection
attempts rises above this number, the ZyXEL
Device deletes half-open sessions as
required to accommodate new connection
attempts.
100 half-open sessions per minute.
The above numbers cause the
ZyXEL Device to start deleting half-
open sessions when more than
100 session establishment
attempts have been detected in the
last minute, and to stop deleting
half-open sessions when fewer
than 80 session establishment
attempts have been detected in the
last minute.
Page 210 / 427
P-2602H(W)(L)-DxA Series User’s Guide
210
Chapter 14 Firewall Configuration
Maximum
Incomplete Low
This is the number of existing half-open
sessions that causes the firewall to stop
deleting half-open sessions. The ZyXEL
Device continues to delete half-open requests
as necessary, until the number of existing
half-open sessions drops below this number.
80 existing half-open sessions.
Maximum
Incomplete High
This is the number of existing half-open
sessions that causes the firewall to start
deleting half-open sessions. When the
number of existing half-open sessions rises
above this number, the ZyXEL Device deletes
half-open sessions as required to
accommodate new connection requests. Do
not set
Maximum Incomplete High
to lower
than the current
Maximum
I
ncomplete
Low
number.
100 existing half-open sessions.
The above values causes the
ZyXEL Device to start deleting half-
open sessions when the number of
existing half-open sessions rises
above 100, and to stop deleting
half-open sessions with the
number of existing half-open
sessions drops below 80.
TCP Maximum
Incomplete
This is the number of existing half-open TCP
sessions with the same destination host IP
address that causes the firewall to start
dropping half-open sessions to that same
destination host IP address. Enter a number
between 1 and 256. As a general rule, you
should choose a smaller number for a smaller
network, a slower system or limited
bandwidth.
30 existing half-open TCP
sessions.
Action taken when the TCP Maximum Incomplete reached threshold
Delete the Oldest
Half Open Session
when New
Connection
Request Comes.
Select this radio button to clear the oldest half
open session when a new connection request
comes.
Deny New
Connection
Request for
Select this radio button and specify for how
long the ZyXEL Device should block new
connection requests when
TCP Maximum
Incomplete
is reached.
Enter the length of blocking time in minutes
(between 1 and 256).
Apply
Click
Apply
to save your changes back to the ZyXEL Device.
Cancel
Click
Cancel
to begin configuring this screen afresh.
Table 75
Firewall: Threshold (continued)
LABEL
DESCRIPTION
DEFAULT VALUES

Rate

3.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top