ZyXEL P-660HW-D1 Guia Do Utilizador
Prestige 660H/HW Series User’s Guide
Chapter 13 Firewall Configuration
162
Figure 74 Firewall: Anti Probing
The following table describes the labels in this screen.
Table 46 Firewall: Anti Probing
LABEL
DESCRIPTION
Respond to PING
on
The Prestige does not respond to any incoming Ping requests when Disable is
selected.
Select LAN to reply to incoming LAN Ping requests.
Select WAN to reply to incoming WAN Ping requests.
Otherwise select LAN & WAN to reply to both incoming LAN and WAN Ping
Select LAN to reply to incoming LAN Ping requests.
Select WAN to reply to incoming WAN Ping requests.
Otherwise select LAN & WAN to reply to both incoming LAN and WAN Ping
requests.
Do not respond to
requests for
unauthorized
services.
Select this option to prevent hackers from finding the Prestige by probing for
unused ports. If you select this option, the Prestige will not respond to port
request(s) for unused ports, thus leaving the unused ports and the Prestige
unseen. By default this option is not selected and the Prestige will reply with an
ICMP Port Unreachable packet for a port probe on its unused UDP ports, and a
TCP Reset packet for a port probe on its unused TCP ports.
Note that the probing packets must first traverse the Prestige 's firewall
Note that the probing packets must first traverse the Prestige 's firewall
mechanism before reaching this anti-probing mechanism. Therefore if the firewall
mechanism blocks a probing packet, the Prestige reacts based on the firewall
policy, which by default, is to send a TCP reset packet for a blocked TCP packet.
You can use the command "sys firewall tcprst rst [on|off]" to change this policy.
When the firewall mechanism blocks a UDP packet, it drops the packet without
sending a response packet.
Back
Click Back to return to the previous screen.
Apply
Click Apply to save your changes back to the Prestige.
Reset
Click Reset to begin configuring this screen afresh.
13.12 Configuring Attack Alert
Attack alerts are the first defense against DOS attacks. In the Threshold screen, shown later,
you may choose to generate an alert whenever an attack is detected. For DoS attacks, the
Prestige uses thresholds to determine when to drop sessions that do not become fully
established. These thresholds apply globally to all sessions.
you may choose to generate an alert whenever an attack is detected. For DoS attacks, the
Prestige uses thresholds to determine when to drop sessions that do not become fully
established. These thresholds apply globally to all sessions.
You can use the default threshold values, or you can change them to values more suitable to
your security requirements.
your security requirements.