ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual
–Block TCP Flood. A SYN flood is a form of denial of service attack in which an attacker sends a succession of SYN requests to a target system. When the system responds, the attacker does not complete the connection, thus saturating the server with
When blocking is enabled, the VPN firewall will limit the lifetime of partial connections and will be protected from a SYN flood attack.
•LAN Security Checks
–Block UDP flood. A UDP flood is a form of denial of service attack in which the attacking machine sends a large number of UDP packets to random ports to the victim host. As a result, the victim host will check for the application listening at that port, see that no application is listening at that port, and reply with an ICMP Destination Unreachable packet.
When the victimized system is flooded, it is forced to send many ICMP packets, eventually making it unreachable by other clients. The attacker may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach him, making the attacker’s network location anonymous.
If flood checking is enabled, the VPN firewall will not accept more than 20 simultaneous, active UDP connections from a single computer on the LAN.
–Disable Ping Reply on LAN Ports. To prevent the VPN firewall from responding to ping requests from the LAN, click this checkbox.
•VPN Pass through. When the VPN firewall functions in NAT mode, all packets going to the Remote VPN Gateway are first filtered through NAT and then encrypted per the VPN policy.
If a VPN client or gateway on the LAN side of the VPN firewall wants to connect to another VPN endpoint on the WAN, with the VPN firewall between the two VPN end points, all encrypted packets will be sent to the VPN firewall. Since the VPN firewall filters the encrypted packets through NAT, the packets become invalid.
IPsec, PPTP, and L2TP represent different types of VPN tunnels that can pass through the VPN firewall. To allow the VPN traffic to pass through without filtering, enable those options for the type of tunnel(s) that will pass through the VPN firewall.
•Multicast Pass through. IGMP is a communications protocol used to manage IP multicast groups. Checking this option results in IGMP Proxy being enabled for WAN (upstream) and LAN (downstream) interfaces. If checked, the router will keep track of IGMP group membership reports from LAN hosts joining and leaving the group. The relevant multicast traffic will be forwarded from WAN to LAN.
Firewall Protection and Content Filtering |
