Zyxel P-660R-F1 Router Manual PDF (Setup & Configuration Guide)

Page 86 / 268 Scroll up to view Page 81 - 85

Chapter 7 Firewalls

P-660R-F1 Series User’s Guide

86

have access to network resources. The ZyXEL Device is pre-configured to automatically detect and

thwart all known DoS attacks.

Anti-Probing

If an outside user attempts to probe an unsupported port on your ZyXEL Device, an ICMP response

packet is automatically returned. This allows the outside user to know the ZyXEL Device exists. The

ZyXEL Device supports anti-probing, which prevents the ICMP response packet from being sent.

This keeps outsiders from discovering your ZyXEL Device when unsupported ports are probed.

ICMP

Internet Control Message Protocol (ICMP) is a message control and error-reporting protocol

between a host server and a gateway to the Internet. ICMP uses Internet Protocol (IP) datagrams,

but the messages are processed by the TCP/IP software and directly apparent to the application

user.

DoS Thresholds

For DoS attacks, the ZyXEL Device uses thresholds to determine when to drop sessions that do not

become fully established. These thresholds apply globally to all sessions. You can use the default

threshold values, or you can change them to values more suitable to your security requirements.

7.1.3

Firewall Rule Setup Example

The following Internet firewall rule example allows a hypothetical “MyService” connection from the

Internet.

1

Click

Security > Firewall

>

Rules

.

2

Select

WAN to LAN

in the

Packet Direction

field.

Figure 49

Firewall Example: Rules

Page 87 / 268

Chapter 7 Firewalls

P-660R-F1 Series User’s Guide

87

3

In the

Rules

screen, select the index number after that you want to add the rule. For example, if

you select “6”, your new rule becomes number 7 and the previous rule 7 (if there is one) becomes

rule 8.

4

Click

Add

to display the firewall rule configuration screen.

5

In the

Edit Rule

screen, click the

Edit

Customized Services

link to open the

Customized

Service

screen.

6

Click an index number to display the

Customized Services Config

screen and configure the

screen as follows and click

Apply

.

Figure 50

Edit Custom Port Example

7

Select

Any

in the

Destination Address List

box and then click

Delete

.

8

Configure the destination address screen as follows and click

Add

.

Figure 51

Firewall Example: Edit Rule: Destination Address

9

Use the

Add >>

and

Remove

buttons between

Available Services

and

Selected Services

list

boxes to configure it as follows. Click

Apply

when you are done.

Page 88 / 268

Chapter 7 Firewalls

P-660R-F1 Series User’s Guide

88

Note: Custom services show up with an “*” before their names in the

Services

list box

and the

Rules

list box.

Figure 52

Firewall Example: Edit Rule: Select Customized Services

On completing the configuration procedure for this Internet firewall rule, the

Rules

screen should

look like the following.

Page 89 / 268

Chapter 7 Firewalls

P-660R-F1 Series User’s Guide

89

Rule 1 allows a “MyService” connection from the WAN to IP addresses 192.168.1.1 through

192.168.1.15 on the LAN.

Figure 53

Firewall Example: Rules: MyService

7.2

The Firewall General Screen

Use this screen to configure the firewall settings. Click

Security > Firewall

to display the following

screen.

Figure 54

Security > Firewall > General

Page 90 / 268

Chapter 7 Firewalls

P-660R-F1 Series User’s Guide

90

The following table describes the labels in this screen.

7.3

The Firewall Rule Screen

Note: The ordering of your rules is very important as rules are applied in turn.

Table 31

Security > Firewall > General

LABEL

DESCRIPTION

Active Firewall

Select this check box to activate the firewall. The ZyXEL Device performs access

control and protects against Denial of Service (DoS) attacks when the firewall is

activated.

Bypass Triangle

Route

If an alternate gateway on the LAN has an IP address in the same subnet as the

ZyXEL Device’s LAN IP address, return traffic may not go through the ZyXEL

Device. This is called an asymmetrical or “triangle” route. This causes the ZyXEL

Device to reset the connection, as the connection has not been acknowledged.

Select this check box to have the ZyXEL Device permit the use of asymmetrical

route topology on the network (not reset the connection).

Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the

LAN without passing through the ZyXEL Device. A better solution is to use

IP alias to put the ZyXEL Device and the backup gateway on separate

subnets. See

Section 7.5.4.1 on page 101

for an example.

Packet Direction

This is the direction of travel of packets (

LAN to Router

,

LAN to WAN

,

WAN to

Router

,

WAN to LAN)

.

Firewall rules are grouped based on the direction of travel of packets to which

they apply. For example,

LAN to Router

means packets traveling from a

computer/subnet on the LAN to the ZyXEL Device itself.

Default Action

Use the drop-down list boxes to select the default action that the firewall is to

take on packets that are traveling in the selected direction and do not match any

of the firewall rules.

Select

Drop

to silently discard the packets without sending a TCP reset packet or

an ICMP destination-unreachable message to the sender.

Select

Reject

to deny the packets and send a TCP reset packet (for a TCP

packet) or an ICMP destination-unreachable message (for a UDP packet) to the

sender.

Select

Permit

to allow the passage of the packets.

Log

Select the check box to create a log (when the above action is taken) for packets

that are traveling in the selected direction and do not match any of your

customized rules.

Expand...

Click this to display more information.

Basic...

Click this to display less information.

Apply

Click this to save your changes.

Cancel

Click this to restore your previously saved settings.

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share