SMC Networks SMCWBR14-N2 Firewall Settings Enable SPI, NAT Endpoint Filtering, Address Restricted

Page 46

Firewall Settings

Enable SPI

SPI ("stateful packet inspection" also known as "dynamic packet filtering") helps to prevent cyber attacks by tracking more state per session. It validates that the traffic passing through that session conforms to the protocol. When the protocol is TCP, SPI checks that packet sequence numbers are within the valid range for the session, discarding those packets that do not have valid sequence numbers.

Whether SPI is enabled or not, the router always tracks TCP connection states and ensures that each TCP packet's flags are valid for the current state.

NAT Endpoint Filtering

The NAT Endpoint Filtering options control how the router's NAT manages incoming connection requests to ports that are already being used.

Endpoint Independent

Once a LAN-side application has created a connection through a specific port, the NAT will forward any incoming connection requests with the same port to the LAN-side application regardless of their origin. This is the least restrictive option, giving the best connectivity and allowing some applications (P2P applications in particular) to behave almost as if they are directly connected to the Internet.

Address Restricted

The NAT forwards incoming connection requests to a LAN-side host only when they come from the same IP address with which a connection was established. This allows the remote application to send data back through a port different from the one used when the outgoing session was created.

Port And Address Restricted

The NAT does not forward any incoming connection requests with the same port address as an already establish connection.

Note that some of these options can interact with other port restrictions. Endpoint Independent Filtering takes priority over inbound filters or schedules, so it is possible for an incoming session request related to an outgoing session to enter through a port in spite of an active inbound filter on that port. However, packets will be rejected as expected when sent to blocked ports (whether blocked by schedule or by inbound filter) for which there are no active sessions. Port and Address Restricted Filtering ensures that inbound filters and schedules work precisely, but prevents some level of connectivity, and therefore might require the use of port triggers, virtual servers, or port forwarding to open the ports needed by the application. Address Restricted Filtering gives a compromise position, which avoids problems when communicating with certain other types of NAT router (symmetric NATs in particular) but leaves inbound filters and scheduled access working as expected.

UDP Endpoint Filtering

Controls endpoint filtering for packets of the UDP protocol.

TCP Endpoint Filtering

43

Image 46
Contents User Guide Limited Warranty Page FCC Radiation Exposure Statement CE Mark Declaration of Conformance for EMI and Safety EECImportant Note IiiTable of Contents SMCWBR14-N2 Package Contents Wireless LAN Networking AD-HOCIBSS NetworkChannel for each station Page Roaming in an ESS network diagram Introduction Hardware Overview Front Panel LED’s Getting Started Using the Configuration Menu ¾ Click LogBasic BasicInternetBasicWireless Enable Auto Channel Scan Enable WirelessWireless Network Name Wireless ChannelWPA-Personal and WPA-Enterprise WEPExample WPA-PersonalAdvanced Optional Backup Radius Server BasicNetwork Settings RIP Operating mode Router SettingsEnable RIP IP AddressRIP Password Act as default routerAllow RIP updates from WAN Dhcp Server SettingsAdd/Edit Dhcp Reservation Dhcp Lease TimeAlways Broadcast Computer NameRevoke Dhcp Reservations ListNumber of Dynamic Dhcp Clients ReserveAdvanced AdvancedVirtual ServerPrivate Port Virtual Server Parameters NameProtocol Public PortAdd/Edit Virtual Server EnableSchedule SaveParameters for an Application Rule Example AdvancedSpecial ApplicationsApplication Input Port Range Trigger Port RangeTrigger Protocol Input ProtocolAdvancedGaming UDP Ports To Open Port Forwarding Fields NameTCP Ports To Open Edit/Add Game RuleStreamEngine Setup Enable StreamEngine AdvancedStreamEngineAutomatic Uplink Speed Automatic ClassificationDynamic Fragmentation Measured Uplink SpeedSource IP Range Add/Edit StreamEngine Rule EnablePriority Source Port RangeAdvancedRouting Add/Edit RouteRoutes List Policy Wizard AdvancedAccess ControlAdd Policy Policy Table Web Filter Parameters Web Site AdvancedWEB FilterAdd/Edit Web Site Allowed Web Site List Filter Wireless Clients Enable MAC Address FilterFilter Settings Mode AdvancedMAC Address FilterAdd/Edit MAC Address Filter Wired ClientsMAC Address List AdvancedFirewall Endpoint Independent Firewall Settings Enable SPINAT Endpoint Filtering Address RestrictedDMZ Host Enable DMZDMZ IP Address Pptp RtspSIP FTPNetmeeting Wake-On-LANAdvancedInbound Filter Inbound Filter Rules List Add/Edit Inbound Filter RuleAction Allow AllAdvancedAdvanced Wireless Extra Wireless Protection 802.11d EnableWMM Enable WDS EnableAdvancedNetwork Enable UPnPEnable WAN Ping Respond UPnPWAN Port Speed Enable Multicast StreamsAdvancedWISH Multicast StreamsWish HttpHost 1 Port Range Save/UpdateHost 1 IP Range Host 2 IP RangeLock Wireless Security Settings AdvancedWi-Fi Protected SetupWi-Fi Protected Setup Enable PIN SettingsCurrent PIN Reset PIN to DefaultAdd Wireless Device Wizard Generate New PINToolsAdmin ToolsEnable Remote Management Admin PasswordUser Password Remote Admin PortToolsTime Time Configuration Current Router TimeEnable Daylight Saving Time ZoneDST Start and DST End Automatic Time Configuration Enable NTP ServerDaylight Saving Offset NTP Server UsedToolsSyslog Enable Logging to Syslog ServerSyslog Server IP Address ToolsEmail Settings Email Log When Full or on Schedule On Log Full Verify PasswordOn Schedule Restore To Factory Default Settings Save Settings To Local Hard DriveLoad Settings From Local Hard Drive Reboot The DeviceFirmware Information Firmware UpgradeToolsFirmware Check OnlineUpload ToolsDynamic DNS Timeout ToolsSystem Check ToolsSchedules Schedule Rules List StatusDevice info Statistics and Active SessionsBigPond Connection Dhcp ConnectionPPPoE, PPTP, L2TP Connection LAN ComputersSignal StatusWirelessRate StatusRouting What to View Apply Log Settings NowStatusLogs View LevelsEmail Now RefreshSave Log StatusStatistics External StatusActive SessionsInternal NATOut StatusWISH SessionsDir Time OutOriginator TargetEstablished or closing TCP connections Adsl AsciiBootp CAT Dhcp DMZDSL DNSEAP GUI Ieee HttpsIcmp IgmpIPX ISPLPR/LPD LANLED L2TPMppe MdixMIB MTUOfdm NICNTP OSIRadius PPPRIP Snmp RSASmtp SohoTCP/IP SsidTCP TftpUTP URLUSB VlanWlan WDSWisp WPAYagi antenna 802.11Technical Support