Manuals / Motorola / Cell Phone / Cell Phone

Motorola 3352 Set security state-insp tcp-timeout 30, Set security state-insp udp-timeout 30, 292

Models: 2200 3342 3352N 3352 7000

1 368

Download 368 pages 62.68 Kb

Page 292

Administrator’s Handbook

Stateful Inspection

Stateful inspection options are accessed by the security state-insptag.

set security state-insp [ ip-ppp dsl ] vccn option [ off on ] set security state-insp ethernet [ A B ] option [ off on ]

Sets the stateful inspection option off or on on the speciﬁed interface. This option is disabled by default. Stateful inspection prevents unsolicited inbound access when NAT is disabled.

set security state-insp [ ip-ppp dsl ] vccn default-mapping [ off on ]

set security state-insp ethernet [ A B ] default-mapping [ off on ]

Sets stateful inspection default mapping to router option off or on on the speciﬁed interface.

set security state-insp [ ip-ppp dsl ] vccn tcp-seq-diff [ 0 - 65535 ]

set security state-insp ethernet [ A B ] tcp-seq-diff [ 0 - 65535 ]

Sets the acceptable TCP sequence difference on the speciﬁed interface. The TCP sequence number differ- ence maximum allowed value is 65535. If the value of tcp-seq-diffis 0, it means that this check is dis- abled.

set security state-insp [ ip-ppp dsl ] vccn deny-fragments [ off on ]

set security state-insp ethernet [ A B ] deny-fragments [ off on ]

Sets whether fragmented packets are allowed to be received or not on the speciﬁed interface.

set security state-insp tcp-timeout [ 30 - 65535 ]

Sets the stateful inspection TCP timeout interval, in seconds.

set security state-insp udp-timeout [ 30 - 65535 ]

Sets the stateful inspection UDP timeout interval, in seconds.

set security state-insp dos-detect [ off on ]

Enables or disables the stateful inspection Denial of Service detection feature. If set to on, the device will monitor packets for Denial of Service (DoS) attack. Offending packets may be discarded if it is determined to be a DoS attack.

292

Image 292

Motorola 7000, 3352N, 3342, 2200 manual Set security state-insp tcp-timeout 30, Set security state-insp udp-timeout 30, 292

Contents

Administrator’s Handbook Administrator’s Handbook CopyrightPage Administrator’s Handbook Table of Contents Breadcrumb Trail Security Basic Troubleshooting Command Line Interface 223 Administrator’s Handbook Glossary Overview of Major Capabilities Introduction What’s NewAdministrator’s Handbook About Motorola Netopia Documentation Intended AudienceDocumentation Conventions GeneralCommand Line Interface Internal Web InterfaceOrganization Word About Example ScreensAdministrator’s Handbook Basic Mode Setup Important Safety Instructions Power Supply InstallationAchtung Wichtige SicherheitshinweiseBewahren Sie diese Anweisungen auf Setting up the Motorola Netopia Gateway Microsoft WindowsPage Macintosh MacOS 8 or higher or Mac OS Conﬁguring the Motorola Netopia Gateway MiAVo Vdsl and Ethernet WAN models QuickstartYou can skip to Home Page Basic Mode on PPPoE Quickstart Set up the Motorola Netopia Pocket Gateway Page Motorola Netopia Gateway Status Indicator Lights Home Page Basic Mode Down Link Manage My Account Link Status Details Link Enable Remote Management Link Expert Mode Link Update Firmware Link Factory Reset Accessing the Expert Web Interface Open the Web ConnectionAdministrator’s Handbook Home Page Expert Mode Home Page InformationSummary Information Field Status and/or DescriptionVoIP NATNavigating the Web Interface ToolbarLink Breadcrumb Trail Restart Button RestartLink Alert Symbol Help Button HelpButton Conﬁgure ConﬁgureLink Quickstart Administrator’s Handbook Link LAN Administrator’s Handbook Page Administrator’s Handbook Wireless supported models Privacy Page Advanced About Closed System Mode Administrator’s Handbook Examples Multiple SSIDsWPA Version Allowed Administrator’s Handbook Page WiFi Multimedia Wireless MAC Authorization Administrator’s Handbook Use Radius Server Advanced Network Conﬁguration page appears Link WAN PPP over Ethernet interfaceDHCP/PPPoE/PPPoA Autosensing Advanced RIP-1 compatibility, or RIP-2 with MD5Ethernet WAN interface Page IP Gateway AdvancedOther WAN Options Adsl Gateways WAN Ethernet and Vdsl GatewaysAvailable Encapsulation types Administrator’s Handbook Page Sustained Cell Rate SCR Class Transmit Priority CommentsLink Advanced Link IP Static Routes IP Static Route Entry page appearsChanges link Link IP Static ARP Link Pinholes Gateway Tips for making Pinhole EntriesPinhole Conﬁguration Procedure. Use the following steps Page Administrator’s Handbook Conﬁgure the IPMaps Feature FAQs for the IPMaps FeatureIPMaps Block Diagram Motorola Netopia Gateway WAN Interface LAN Interface192.168.1.1 192.168.1.2Link Default Server Internet Gateway Page Link Differentiated Services Page QoS Setting TOS Bit Value Behavior Link DNS Link Dhcp Server Link Radius Server Link Snmp Page Igmp Version 3 supports Link Igmp Internet Group Management Protocol100 101 Link UPnP 102Link LAN Management 103Link Ethernet Bridge 104Conﬁguring for Bridge Mode 105106 Overview 107Ethernet Switching/Policy Setup 108Vlan Model Combining Bridging and Routing 109110 Vlan Port Conﬁguration screen appears 111112 113 114 115 Example 116117 118 Click the Save and Restart link 119Supported models only 120SIP Line Entry 121Call Features Settings 122123 Link System 124Link Syslog Parameters 125Administration Related Log Messages Log Event MessagesSystem Log Messages DSL Log Messages most commonAccess-related Log Messages 127128 Link Internal Servers 129Link Software Hosting 130List of Supported Games and Software 131Rename a UserPC 132Manual options Check the Enable Backup Gateway checkbox133 Automatic options 134135 Link Ethernet MAC Override 136Link Clear Options 137Link Time Zone 138Button Security Security139 Link Passwords 140141 Conﬁguring for a BreakWater Setting Link FirewallUse a Motorola Netopia Firewall 142Basic Firewall Background Tips for making your BreakWater Basic Firewall Selection143 BreakWater Setting ClearSailing SilentRunning LANdLocked 144145 Link IPSec 146SafeHarbour IPSec VPN 147Conﬁguring a SafeHarbour VPN 148149 Parameter Motorola Netopia Peer GatewayBe sure that you have SafeHarbour VPN enabled 150Field Description Parameter Descriptions151 152 Address/Value153 Link Stateful Inspection Stateful Inspection Firewall installation procedure154 Exposed Addresses 155156 Open Ports in Default Stateful Inspection Installation Stateful Inspection OptionsPort Protocol Description LAN Private WAN Public Interface 157Firewall Tutorial General ﬁrewall termsBasic IP packet components Basic protocol typesExample TCP/UDP Ports TCP Port Service Firewall design rulesFirewall Logic 159Example ﬁlter set Implied rules160 Filter basics Example ﬁltersWhat it means Example network162 What’s a ﬁlter and what’s a ﬁlter set? Link Packet Filter163 Filter priority How ﬁlter sets work164 How individual ﬁlters work ﬁltering ruleParts of a ﬁlter Port numbersOther ﬁlter attributes Port number comparisons166 Filtering example #1 Putting the parts together167 168 Filtering example #2 Design guidelines169 An approach to using ﬁlters 170Adding a ﬁlter set Working with IP Filters and Filter Sets171 Adding ﬁlters to a ﬁlter set 172173 Enter the Source Mask for the source IP address 174Deleting a ﬁlter set 175Associating a Filter Set with an Interface 176TOS ﬁeld matching Policy-based Routing using Filtersets177 178 Link Security Log Using the Security Monitoring Log179 180 TCPTimestamp Background 181Button Install Install182 Link Install Software Required FilesBackground 183Install the Motorola Netopia ﬁrmware Image Motorola Netopia ﬁrmware Image FileConﬁrm Motorola Netopia Firmware Image Files 184Verify the Motorola Netopia Firmware Release 185186 Link Install Key Use Motorola Netopia Software Feature KeysObtaining Software Feature Keys Procedure Install a New Feature Key File188 To check your installed features 189Link Install Certiﬁcate 190191 Administrator’s Handbook 192 Basic Troubleshooting 193Status Indicator Lights ActionEthernet 194Model 2241N only 195Ethernet 1, 2, 3 196Wireless 197198 Special patterns 199LAN 1, 2, 3 200Wireless Link 201Models only Ethernet 1, 2, 3 DSL 1 & 2 ADSL2+202 203 LED Function Summary Matrix 204Wireless Unlit ActiveTrafﬁc LinkFactory Reset Switch Advanced Troubleshooting 207Home 208209 Device GatewayButton Troubleshoot Expert Mode210 Link System Status 211Link Ports Ethernet 212Link Ports DSL 213Link IP Interfaces 214Link DSL Circuit Conﬁguration 215Link System Log Entire 216Link Diagnostics 217Link Network Tools 218219 If Ping is not successful, possible causes are 220221 Administrator’s Handbook 222 Command Line Interface 223Overview 224Keywords Command Verbs Status and/or Description225 Using the CLI Help Facility Saving SettingsStarting and Ending a CLI Session LoggingAbout Shell Commands Shell Command ShortcutsShell Prompt 227Shell Commands Common CommandsLoglevel level License key229 Netstat Netstat -rQuit 230Reset arp Reset atmReset cdmode Reset crashReset security-log Reset wan-users all ip-addressReset wan Reset wepkeysShow crash Show dhcp agentShow dhcp server leases Show diffservShow features Show etheroam ahShow group-mgmt Show ip arpShow ip ﬁrewall Show ip lan-discoveryShow ip routes Show ip state-inspShow status Show summaryShow vlan 236237 Show wireless all Show wireless clients MACaddressUpload serveraddress ﬁlename conﬁrm View conﬁgWAN Commands About Config Commands Config Mode PromptNavigating the Config Hierarchy Show ppp stats lcp ipcpEntering Commands in Config Mode Guidelines Config CommandsSet ip ethernet a ipaddress 241Displaying Current Gateway Settings Step Mode a CLI Conﬁguration TechniqueValidating Your Conﬁguration 242Config Commands Remote ATA Conﬁguration CommandsSet ata proﬁle 0.. ata-user-password string Set ata proﬁle 0.. ata-static-wan-gateway ipaddrSet ata proﬁle 0.. ata-proxy-server ipaddr Set ata proﬁle 0.. ata-proxy-port portDSL Commands Bridging Settings Set atm vcc n vpi 0Set atm vcc n vci 0 Set atm vccn pppoe-sessions 1Set bridge table-timeout 30 Set bridge sys-bridge on offSet bridge concurrent-bridging-routing on off Set bridge dhcp-ﬁlterset stringDhcp Settings Set dhcp range 2.. start-address ipaddress Set dhcp range 2.. end-address ipaddressSet dhcp gen-option name name Set dhcp gen-option option 1Option Data Format Data Size Can Bytes Conﬁgure 250Set dhcp gen-option data data Set dhcp gen-option data-type ascii hex dotted-decimal251 Set dhcp ﬁlterset name string rule n match-str matchstring Set dhcp ﬁlterset name string rule n dhcp-option 0252 Set dhcp ﬁlterset name string rule n match-pool ipaddress Set dhcp ﬁlterset name string rule n absent-pool ipaddressSet dhcp assigned-ﬁlterset string 253DMT Settings Domain Name System Settings 256 Igmp Settings 257Set igmp snooping off on Set igmp robustness valueSet igmp query-intvl value Set igmp query-response-intvl valueIP Settings Set ip dsl vccn restrictions admin-disabled none Set ip dsl vccn netmask netmaskSet ip dsl vccn addr-mapping on off Set ip dsl vccn auto-sensing off dhcp/pppoe pppoe/pppoaSet ip dsl vccn rip-send off v1 v2 v1-compat v2-MD5 Set ip dsl vccn rip-receive Off v1 v2 v1-compat v2-MD5Set ip ethernet a option on off Set ip ethernet a address ipaddressSet ip ethernet a restrictions none admin-disabled Set ip ethernet a netmask netmaskSet ip ethernet a rip-send Off v1 v2 v1-compat v2-MD5 Set ip ethernet a rip-receive off v1 v2 v1-compat v2-MD5Set ip ethernet a subnet n address ipaddress Set ip ethernet a subnet n netmask netmaskSet ip gateway option on off Set ip gateway interface ip-address ppp-vccnSet ip ip-ppp vccn restrictions admin-disabled none Set ip ip-ppp vccn peer-address ipaddressSet ip ip-ppp vccn addr-mapping on off Set ip ip-ppp vccn auto-sensing off dhcp/pppoe pppoe/pppoaSet ip ip-ppp vccn rip-receive off v1 v2 v1-compat v2-MD5 Set ip ip-ppp vccn igmp-null-source-addr on offSet ip ip-ppp vccn mcast-fwd on off Set ip ip-ppp vccn unnumbered on offSet ip static-arp ip-addressipaddress Set ip igmp-forwarding off onSet ip ipsec-passthrough off on Set ip prioritize off onSet diffserv lohi-ratio 60 100 percent Set diffserv option off on267 Qos off assure expedite network-control 268Set diffserv qos dscp-map default custom 269270 Queue Conﬁguration 271272 Set queue name wfq weight-type bps 273Set queue name priorityqueuename default-inputqueuename 274Rate-limiting weighted fair queue to 100Kbps 275Set ip sip-passthrough on off Set ip ethernet B rtsp-passthrough off onSet ip static-routes destination-networknetaddress 276IPMaps Settings Delete ip static-routes destination-network netaddressSet ip-maps name name internal-ip ip address Set ip-maps name name external-ip ip addressNetwork Address Translation NAT Default Settings Network Address Translation NAT Pinhole SettingsPPPoE /PPPoA Settings Set ppp module vccn restart-timer integer Set ppp module vccn magic-number on offSet ppp module vccn protocol-compression on off Set ppp module vccn lcp-echo-requests on offSet ppp module vccn port-authentication username username Set ppp module vccn port-authentication password passwordSet ppp module vccn connection-type instant-on always-on Set ppp module vccn time-out integerPPPoE with IPoE Settings Set wan-over-ether pppoe on offSet wan-over-ether pppoe-with-ipoe on off Set wan-over-ether ipoe-sessions 1Ethernet Port Settings Set atm vcc n encap pppoe-llcSet ip ip-ppp vcc1 mcast-fwd on off Set ip ip-ppp vcc1 igmp-null-source-addr off on802.3ah Ethernet OAM Settings Command Line Interface Preference Settings Set preference verbose on offSet preference more lines 285Port Renumbering Settings Set servers web-http 1Set servers telnet-tcp 1 286Security Settings Set security ipsec tunnels name 123 tun-enable on on offSet security ipsec option off on off Set security ipsec tunnels nameSet security ipsec tunnels name 123 IKE-mode DH-group 1 1 2 288Set security ipsec tunnels name 123 xauth enable off on Set security ipsec tunnels name 123 xauth password passwordSet security ipsec tunnels name 123 nat-enable on off Set security ipsec tunnels name 123 xauth username usernameSet security ipsec tunnels name 123 remote-id idvalue Set security ipsec tunnels name 123 local-id idvalue290 291 Set security state-insp tcp-timeout 30 Set security state-insp udp-timeout 30Set security state-insp dos-detect off on 292Set security state-insp xposed-addr exposed-address# n 293Packet Filtering Settings 294Operator 295296 Snmp Settings Set system name name System Settings298 Set system idle-timeout telnet 1...120 http 1 Set system username administrator name user nameSet system password admin user Set system ftp-server option off onSet system zerotouch option on off Sleep Contact-email string@domainname location string300 Syslog Default syslog installation procedure 302Wireless Settings supported models 304 Set wireless tx-power full medium fair low minimal Set wireless no-bridging off on305 Set wireless wmm option off on 306307 Set wireless network-id privacy default-keyid Set wireless network-id privacy pre-shared-key string308 Example 40bit key 02468ACE02 Set wireless mac-auth option on off309 Set radius radius-name servernamestring Set radius radius-secret sharedsecretSet radius alt-radius-name servernamestring Set radius alt-radius-secret sharedsecretVlan Settings Set vlan name name ip-interface ipinterface Set vlan name name ports port port-pbits 0312 Assign an IP interface 313314 Set vlan name PPPoE11 id315 Set vlan name Video31 ports eth1 tag onVoIP settings Set voip phone 0 1 sip-user-password password Set voip phone 0 1 sip-user-display-name nameSet voip phone 0 1 sip-user-name username Set voip phone 0 1 auth-id stringSet voip phone 0 1 codec G72640 priority 1 2 3 4 5 6 7 none 318319 320 UPnP settings DSL Forum settingsTR-069 322Backup IP Gateway Settings Set ip backup-gateway default ipaddress 324Vdsl Settings 325326 Vdsl Parameters Accepted Values 327Parameter 328Accepted Values 329330 Glossary 331332 333 Ethernet crossover cable. See crossover cable 334335 336 337 338 339 340 341 Administrator’s Handbook 342 Description 343Agency approvals Manufacturer’s Declaration of ConformanceNorth America InternationalDeclaration for Canadian users 345Important Safety Instructions Australian Safety InformationTelecommunication installation cautions 346CFR Part 68 Information 347Copyright Acknowledgments Electrical Safety Advisory348 349 350 PPPoE/PPPoA Point-to-Point Protocol over Ethernet/ATM Wide Area Network Termination351 Simpliﬁed Local Area Network Setup Instant-On PPPDhcp Dynamic Host Conﬁguration Protocol Server 352Diagnostics ManagementDNS Proxy Embedded Web ServerRemote Access Control Password ProtectionNetwork Address Translation NAT 354Motorola Netopia Advanced Features for NAT Motorola Netopia GatewayInternal Servers 355Default Server PinholesCombination NAT Bypass Conﬁguration IP-PassthroughVPN IPSec Tunnel Termination VPN IPSec Pass Through357 Stateful Inspection Firewall SSL Certiﬁcate SupportVLANs 358Index 359Config 360361 NAT 264, 278 362PPP 363Shell 364VPN 365366 367 Administrator’s Handbook 368