ZyXEL 35 Guia Do Utilizador

 

 

All contents copyright (c) 2006 ZyXEL Communications Corporation.   

298

(C) To resolve this conflict, we add an option for users to allow/disallow such Triangle Route topology 

in both CI command and Web configurator. You can issue this command, "sys firewall ignore triangle all 

on", to allow firewall bypass triangle route checking. In Web GUI, you can find this option in firewall 

setup page. 

But we would like to notify that if you allow Triangle Route, any traffic will be easily injected into the 

protected network through the unprotected gateway. In fact, it's a security hole in your protected network.  

 

The ZyWALL's firewall will automatically detect the IP spoofing and drop it if the firewall is turned on. 

If the firewall is not turned on we can configure a filter set to block the IP spoofing attacks. The basic 

scheme is as follows:   

For the input data filter:   

• 

Deny packets from the outside that claim to be from the inside   

• 

Allow everything that is not spoofing us   

Filter rule setup:   

• 

Filter type =TCP/IP Filter Rule   

• 

Active =Yes   

• 

Source IP Addr =a.b.c.d   

• 

Source IP Mask =w.x.y.z   

• 

Action Matched =Drop   

• 

Action Not Matched =Forward   

Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask:   

For the output data filters:   

• 

Deny bounce back packet   

• 

Allow packets that originate from us   

Filter rule setup:   

• 

Filter Type =TCP/IP Filter Rule   

• 

Active =Yes