Link Stateful Inspection, 154 | Motorola 2200, 7000, 3352N, 3342

Administrator’s Handbook

Link: Stateful Inspection

All computer operating systems are vulnerable to attack from outside sources, typically at the operating system or Internet Protocol (IP) layers. Stateful Inspection ﬁrewalls intercept and analyze incoming data packets to determine whether they should be admitted to your private LAN, based on multiple criteria, or blocked. Stateful inspection improves security by tracking data packets over a period of time, examining incoming and outgoing packets. Outgoing packets that request speciﬁc types of incoming packets are tracked; only those incoming packets constituting a proper response are allowed through the ﬁrewall.

Stateful inspection is a security feature that prevents unsolicited inbound access when NAT is disabled. You can conﬁgure UDP and TCP “no-activity” periods that will also apply to NAT time-outs if stateful inspection is enabled on the interface. Stateful Inspection parameters are active on a WAN interface only if enabled on your Gateway. Stateful inspection can be enabled on a WAN interface whether NAT is enabled or not.

Stateful Inspection Firewall installation procedure

☛NOTE:

Installing Stateful Inspection Firewall is mandatory to comply with Required Services Security Policy - Residential Category module - Version 4.1 (speciﬁed by ICSA Labs)

For more information please go to the following URL: http://www.icsalabs.com/icsa/docs/html/communities/ﬁrewalls/pdf/4.1/baseline.pdf

1.Access the router through the web interface from the private LAN.

DHCP server is enabled on the LAN by default.

2.The Gateway’s Stateful Inspection feature must be enabled in order to prevent TCP, UDP and ICMP packets destined for the router or the private hosts.

This can be done by navigating to Expert Mode -> Security -> Stateful Inspection.

•UDP no-activitytime-out: The time in seconds after which a UDP session will be terminated, if there is no trafﬁc on the session.

•TCP no-activitytime-out: The time in seconds after which an TCP session will be terminated, if there is no trafﬁc on the session.

154

Image 154

Motorola 2200, 7000, 3352N, 3342 manual Link Stateful Inspection, Stateful Inspection Firewall installation procedure, 154

Contents

Administrator’s Handbook Administrator’s Handbook CopyrightPage Administrator’s Handbook Table of Contents Breadcrumb Trail Security Basic Troubleshooting Command Line Interface 223 Administrator’s Handbook Glossary Overview of Major Capabilities Introduction What’s New Administrator’s Handbook Documentation Conventions About Motorola Netopia DocumentationIntended Audience General Command Line Interface Internal Web Interface Organization Word About Example Screens Administrator’s Handbook Basic Mode Setup Important Safety Instructions Power Supply Installation Achtung Wichtige SicherheitshinweiseBewahren Sie diese Anweisungen auf Setting up the Motorola Netopia Gateway Microsoft WindowsPage Macintosh MacOS 8 or higher or Mac OS Conﬁguring the Motorola Netopia Gateway MiAVo Vdsl and Ethernet WAN models Quickstart You can skip to Home Page Basic Mode on PPPoE Quickstart Set up the Motorola Netopia Pocket Gateway Page Motorola Netopia Gateway Status Indicator Lights Home Page Basic Mode Down Link Manage My Account Link Status Details Link Enable Remote Management Link Expert Mode Link Update Firmware Link Factory Reset Accessing the Expert Web Interface Open the Web Connection Administrator’s Handbook Summary Information Home Page Expert ModeHome Page Information Field Status and/or Description VoIP NAT Navigating the Web Interface ToolbarLink Breadcrumb Trail Restart Button Restart Link Alert Symbol Help Button Help Button Conﬁgure ConﬁgureLink Quickstart Administrator’s Handbook Link LAN Administrator’s Handbook Page Administrator’s Handbook Wireless supported models Privacy Page Advanced About Closed System Mode Administrator’s Handbook Examples Multiple SSIDsWPA Version Allowed Administrator’s Handbook Page WiFi Multimedia Wireless MAC Authorization Administrator’s Handbook Use Radius Server Advanced Network Conﬁguration page appears Link WAN PPP over Ethernet interface DHCP/PPPoE/PPPoA Autosensing Advanced RIP-1 compatibility, or RIP-2 with MD5 Ethernet WAN interface Page IP Gateway AdvancedOther WAN Options Adsl Gateways WAN Ethernet and Vdsl GatewaysAvailable Encapsulation types Administrator’s Handbook Page Sustained Cell Rate SCR Class Transmit Priority Comments Link Advanced Link IP Static Routes IP Static Route Entry page appears Changes link Link IP Static ARP Link Pinholes Gateway Tips for making Pinhole Entries Pinhole Conﬁguration Procedure. Use the following steps Page Administrator’s Handbook Conﬁgure the IPMaps Feature FAQs for the IPMaps Feature 192.168.1.1 IPMaps Block DiagramMotorola Netopia Gateway WAN Interface LAN Interface 192.168.1.2 Link Default Server Internet Gateway Page Link Differentiated Services Page QoS Setting TOS Bit Value Behavior Link DNS Link Dhcp Server Link Radius Server Link Snmp Page Igmp Version 3 supports Link Igmp Internet Group Management Protocol100 101 Link UPnP 102 Link LAN Management 103 Link Ethernet Bridge 104 Conﬁguring for Bridge Mode 105 106 Overview 107 Ethernet Switching/Policy Setup 108 Vlan Model Combining Bridging and Routing 109 110 Vlan Port Conﬁguration screen appears 111 112 113 114 115 Example 116 117 118 Click the Save and Restart link 119 Supported models only 120 SIP Line Entry 121 Call Features Settings 122 123 Link System 124 Link Syslog Parameters 125 System Log Messages Administration Related Log MessagesLog Event Messages DSL Log Messages most common Access-related Log Messages 127 128 Link Internal Servers 129 Link Software Hosting 130 List of Supported Games and Software 131 Rename a UserPC 132 Manual options Check the Enable Backup Gateway checkbox133 Automatic options 134 135 Link Ethernet MAC Override 136 Link Clear Options 137 Link Time Zone 138 Button Security Security139 Link Passwords 140 141 Use a Motorola Netopia Firewall Conﬁguring for a BreakWater SettingLink Firewall 142 Basic Firewall Background Tips for making your BreakWater Basic Firewall Selection143 BreakWater Setting ClearSailing SilentRunning LANdLocked 144 145 Link IPSec 146 SafeHarbour IPSec VPN 147 Conﬁguring a SafeHarbour VPN 148 149 Parameter Motorola Netopia Peer Gateway Be sure that you have SafeHarbour VPN enabled 150 Field Description Parameter Descriptions151 152 Address/Value 153 Link Stateful Inspection Stateful Inspection Firewall installation procedure154 Exposed Addresses 155 156 Port Protocol Description LAN Private WAN Public Interface Open Ports in Default Stateful Inspection InstallationStateful Inspection Options 157 Basic IP packet components Firewall TutorialGeneral ﬁrewall terms Basic protocol types Firewall Logic Example TCP/UDP Ports TCP Port ServiceFirewall design rules 159 Example ﬁlter set Implied rules160 What it means Filter basicsExample ﬁlters Example network 162 What’s a ﬁlter and what’s a ﬁlter set? Link Packet Filter163 Filter priority How ﬁlter sets work164 Parts of a ﬁlter How individual ﬁlters workﬁltering rule Port numbers Other ﬁlter attributes Port number comparisons166 Filtering example #1 Putting the parts together167 168 Filtering example #2 Design guidelines169 An approach to using ﬁlters 170 Adding a ﬁlter set Working with IP Filters and Filter Sets171 Adding ﬁlters to a ﬁlter set 172 173 Enter the Source Mask for the source IP address 174 Deleting a ﬁlter set 175 Associating a Filter Set with an Interface 176 TOS ﬁeld matching Policy-based Routing using Filtersets177 178 Link Security Log Using the Security Monitoring Log179 180 TCP Timestamp Background 181 Button Install Install182 Background Link Install SoftwareRequired Files 183 Conﬁrm Motorola Netopia Firmware Image Files Install the Motorola Netopia ﬁrmware ImageMotorola Netopia ﬁrmware Image File 184 Verify the Motorola Netopia Firmware Release 185 186 Obtaining Software Feature Keys Link Install KeyUse Motorola Netopia Software Feature Keys Procedure Install a New Feature Key File 188 To check your installed features 189 Link Install Certiﬁcate 190 191 Administrator’s Handbook 192 Basic Troubleshooting 193 Ethernet Status Indicator LightsAction 194 Model 2241N only 195 Ethernet 1, 2, 3 196 Wireless 197 198 Special patterns 199 LAN 1, 2, 3 200 Wireless Link 201 Models only Ethernet 1, 2, 3 DSL 1 & 2 ADSL2+202 203 LED Function Summary Matrix 204 Trafﬁc Wireless UnlitActive Link Factory Reset Switch Advanced Troubleshooting 207 Home 208 209 Device Gateway Button Troubleshoot Expert Mode210 Link System Status 211 Link Ports Ethernet 212 Link Ports DSL 213 Link IP Interfaces 214 Link DSL Circuit Conﬁguration 215 Link System Log Entire 216 Link Diagnostics 217 Link Network Tools 218 219 If Ping is not successful, possible causes are 220 221 Administrator’s Handbook 222 Command Line Interface 223 Overview 224 Keywords Command Verbs Status and/or Description225 Starting and Ending a CLI Session Using the CLI Help FacilitySaving Settings Logging Shell Prompt About Shell CommandsShell Command Shortcuts 227 Shell Commands Common Commands Loglevel level License key229 Quit NetstatNetstat -r 230 Reset cdmode Reset arpReset atm Reset crash Reset wan Reset security-logReset wan-users all ip-address Reset wepkeys Show dhcp server leases Show crashShow dhcp agent Show diffserv Show group-mgmt Show featuresShow etheroam ah Show ip arp Show ip routes Show ip ﬁrewallShow ip lan-discovery Show ip state-insp Show vlan Show statusShow summary 236 237 Upload serveraddress ﬁlename conﬁrm Show wireless allShow wireless clients MACaddress View conﬁg WAN Commands Navigating the Config Hierarchy About Config CommandsConfig Mode Prompt Show ppp stats lcp ipcp Set ip ethernet a ipaddress Entering Commands in Config ModeGuidelines Config Commands 241 Validating Your Conﬁguration Displaying Current Gateway SettingsStep Mode a CLI Conﬁguration Technique 242 Config Commands Remote ATA Conﬁguration Commands Set ata proﬁle 0.. ata-proxy-server ipaddr Set ata proﬁle 0.. ata-user-password stringSet ata proﬁle 0.. ata-static-wan-gateway ipaddr Set ata proﬁle 0.. ata-proxy-port port DSL Commands Set atm vcc n vci 0 Bridging SettingsSet atm vcc n vpi 0 Set atm vccn pppoe-sessions 1 Set bridge concurrent-bridging-routing on off Set bridge table-timeout 30Set bridge sys-bridge on off Set bridge dhcp-ﬁlterset string Dhcp Settings Set dhcp gen-option name name Set dhcp range 2.. start-address ipaddressSet dhcp range 2.. end-address ipaddress Set dhcp gen-option option 1 Option Data Format Data Size Can Bytes Conﬁgure 250 Set dhcp gen-option data data Set dhcp gen-option data-type ascii hex dotted-decimal251 Set dhcp ﬁlterset name string rule n match-str matchstring Set dhcp ﬁlterset name string rule n dhcp-option 0252 Set dhcp assigned-ﬁlterset string Set dhcp ﬁlterset name string rule n match-pool ipaddressSet dhcp ﬁlterset name string rule n absent-pool ipaddress 253 DMT Settings Domain Name System Settings 256 Igmp Settings 257 Set igmp query-intvl value Set igmp snooping off onSet igmp robustness value Set igmp query-response-intvl value IP Settings Set ip dsl vccn addr-mapping on off Set ip dsl vccn restrictions admin-disabled noneSet ip dsl vccn netmask netmask Set ip dsl vccn auto-sensing off dhcp/pppoe pppoe/pppoa Set ip ethernet a option on off Set ip dsl vccn rip-send off v1 v2 v1-compat v2-MD5Set ip dsl vccn rip-receive Off v1 v2 v1-compat v2-MD5 Set ip ethernet a address ipaddress Set ip ethernet a rip-send Off v1 v2 v1-compat v2-MD5 Set ip ethernet a restrictions none admin-disabledSet ip ethernet a netmask netmask Set ip ethernet a rip-receive off v1 v2 v1-compat v2-MD5 Set ip gateway option on off Set ip ethernet a subnet n address ipaddressSet ip ethernet a subnet n netmask netmask Set ip gateway interface ip-address ppp-vccn Set ip ip-ppp vccn addr-mapping on off Set ip ip-ppp vccn restrictions admin-disabled noneSet ip ip-ppp vccn peer-address ipaddress Set ip ip-ppp vccn auto-sensing off dhcp/pppoe pppoe/pppoa Set ip ip-ppp vccn mcast-fwd on off Set ip ip-ppp vccn rip-receive off v1 v2 v1-compat v2-MD5Set ip ip-ppp vccn igmp-null-source-addr on off Set ip ip-ppp vccn unnumbered on off Set ip ipsec-passthrough off on Set ip static-arp ip-addressipaddressSet ip igmp-forwarding off on Set ip prioritize off on Set diffserv lohi-ratio 60 100 percent Set diffserv option off on267 Qos off assure expedite network-control 268 Set diffserv qos dscp-map default custom 269 270 Queue Conﬁguration 271 272 Set queue name wfq weight-type bps 273 Set queue name priorityqueuename default-inputqueuename 274 Rate-limiting weighted fair queue to 100Kbps 275 Set ip static-routes destination-networknetaddress Set ip sip-passthrough on offSet ip ethernet B rtsp-passthrough off on 276 Set ip-maps name name internal-ip ip address IPMaps SettingsDelete ip static-routes destination-network netaddress Set ip-maps name name external-ip ip address Network Address Translation NAT Default Settings Network Address Translation NAT Pinhole Settings PPPoE /PPPoA Settings Set ppp module vccn protocol-compression on off Set ppp module vccn restart-timer integerSet ppp module vccn magic-number on off Set ppp module vccn lcp-echo-requests on off Set ppp module vccn connection-type instant-on always-on Set ppp module vccn port-authentication username usernameSet ppp module vccn port-authentication password password Set ppp module vccn time-out integer Set wan-over-ether pppoe-with-ipoe on off PPPoE with IPoE SettingsSet wan-over-ether pppoe on off Set wan-over-ether ipoe-sessions 1 Set ip ip-ppp vcc1 mcast-fwd on off Ethernet Port SettingsSet atm vcc n encap pppoe-llc Set ip ip-ppp vcc1 igmp-null-source-addr off on 802.3ah Ethernet OAM Settings Set preference more lines Command Line Interface Preference SettingsSet preference verbose on off 285 Set servers telnet-tcp 1 Port Renumbering SettingsSet servers web-http 1 286 Set security ipsec option off on off Security SettingsSet security ipsec tunnels name 123 tun-enable on on off Set security ipsec tunnels name Set security ipsec tunnels name 123 IKE-mode DH-group 1 1 2 288 Set security ipsec tunnels name 123 nat-enable on off Set security ipsec tunnels name 123 xauth enable off onSet security ipsec tunnels name 123 xauth password password Set security ipsec tunnels name 123 xauth username username Set security ipsec tunnels name 123 remote-id idvalue Set security ipsec tunnels name 123 local-id idvalue290 291 Set security state-insp dos-detect off on Set security state-insp tcp-timeout 30Set security state-insp udp-timeout 30 292 Set security state-insp xposed-addr exposed-address# n 293 Packet Filtering Settings 294 Operator 295 296 Snmp Settings Set system name name System Settings298 Set system password admin user Set system idle-timeout telnet 1...120 http 1Set system username administrator name user name Set system ftp-server option off on Set system zerotouch option on off Sleep Contact-email string@domainname location string300 Syslog Default syslog installation procedure 302 Wireless Settings supported models 304 Set wireless tx-power full medium fair low minimal Set wireless no-bridging off on305 Set wireless wmm option off on 306 307 Set wireless network-id privacy default-keyid Set wireless network-id privacy pre-shared-key string308 Example 40bit key 02468ACE02 Set wireless mac-auth option on off309 Set radius alt-radius-name servernamestring Set radius radius-name servernamestringSet radius radius-secret sharedsecret Set radius alt-radius-secret sharedsecret Vlan Settings Set vlan name name ip-interface ipinterface Set vlan name name ports port port-pbits 0312 Assign an IP interface 313 314 Set vlan name PPPoE11 id 315 Set vlan name Video31 ports eth1 tag on VoIP settings Set voip phone 0 1 sip-user-name username Set voip phone 0 1 sip-user-password passwordSet voip phone 0 1 sip-user-display-name name Set voip phone 0 1 auth-id string Set voip phone 0 1 codec G72640 priority 1 2 3 4 5 6 7 none 318 319 320 UPnP settings DSL Forum settings TR-069 322 Backup IP Gateway Settings Set ip backup-gateway default ipaddress 324 Vdsl Settings 325 326 Vdsl Parameters Accepted Values 327 Parameter 328 Accepted Values 329 330 Glossary 331 332 333 Ethernet crossover cable. See crossover cable 334 335 336 337 338 339 340 341 Administrator’s Handbook 342 Description 343 North America Agency approvalsManufacturer’s Declaration of Conformance International Declaration for Canadian users 345 Telecommunication installation cautions Important Safety InstructionsAustralian Safety Information 346 CFR Part 68 Information 347 Copyright Acknowledgments Electrical Safety Advisory348 349 350 PPPoE/PPPoA Point-to-Point Protocol over Ethernet/ATM Wide Area Network Termination351 Dhcp Dynamic Host Conﬁguration Protocol Server Simpliﬁed Local Area Network SetupInstant-On PPP 352 DNS Proxy DiagnosticsManagement Embedded Web Server Network Address Translation NAT Remote Access ControlPassword Protection 354 Internal Servers Motorola Netopia Advanced Features for NATMotorola Netopia Gateway 355 Combination NAT Bypass Conﬁguration Default ServerPinholes IP-Passthrough VPN IPSec Tunnel Termination VPN IPSec Pass Through357 VLANs Stateful Inspection FirewallSSL Certiﬁcate Support 358 Index 359 Config 360 361 NAT 264, 278 362 PPP 363 Shell 364 VPN 365 366 367 Administrator’s Handbook 368