Irewall, 3 firewall – Cradlepoint WIPIPE MBR1000 User Manual

Page 44

background image

CradlePoint MBR1000 | USER MANUAL Firmware ver. 1.6.9

© 2010 CRADLEPOINT, INC. PLEASE VISIT

HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/

FOR MORE HELP AND RESOURCES

PAGE 42

5.3 Firewall

Use the Firewall sub-menu to protect your network from the outside world. The MBR1200 provides
a tight firewall by virtue of the way NAT works. Unless you configure the router to the contrary, the
NAT does not respond to unsolicited incoming requests on any port, thereby making your LAN
invisible to public Internet view. However, some network applications cannot run with a tight
firewall. Those applications need to selectively open ports in the firewall to function correctly.

5.3.1

Firewall Settings

Enable SPI.

SPI (Stateful Packet Inspection, also known as dynamic packet filtering) helps to

prevent cyber attacks by tracking more state per session. It validates that the traffic passing
through the session conforms to the protocol. When SPI is enabled, the extra state information will
be reported on the Status

→ Active Sessions sub-menu.

Whether SPI is enabled or not, the router always tracks TCP connection states and ensures that
each TCP packet's flags are valid for the current state.

5.3.2

NAT Endpoint Filtering

The NAT Endpoint Filtering options control how the router‟s NAT manages incoming connection
requests to ports that are already being used.

UDP Endpoint Filtering/TCP Endpoint Filtering.

The UDP Endpoint Filtering check box

controls endpoint filtering for packets of the UDP protocol and the TCP Endpoint Filtering check
box controls endpoint filtering for packets of the TCP protocol. Select a NAT Endpoint Filtering
option:

Endpoint Independent. Once a LAN-side application has created a connection
through a specific port, the NAT will forward any incoming connection requests with the
same port to the LAN-side application regardless of their origin. This is the least
restrictive option, giving the best connectivity and allowing some applications (P2P
applications in particular) to behave almost as if they are directly connected to the
Internet.

Address Restricted. The NAT forwards incoming connection requests to a LAN-side
host only when they come from the same IP address with which a connection was
established. This allows the remote application to send data back through a port
different from the one used when the outgoing session was created.

(continued)

See also other documents in the category Cradlepoint Hardware: