beautypg.com

Security stateful packet inspection (spi) commands – ARRIS 2247-N8-10NA (v9.1.x) Admin Handbook User Manual

Page 64

background image

Administrator’s Handbook

64

set pinhole name name int-start-port [ 0 - 65535 ]

Specifies the port number your 2247-N8 should use when forwarding traffic of the specified type. Under most
circumstances, you would use the same number for the external and internal port.

Security Stateful Packet Inspection (SPI) commands

set security firewall-level [ low | high | off ]

All computer operating systems are vulnerable to attack from outside sources, typically at the operating sys-
tem or Internet Protocol (IP) layers. Stateful Inspection firewalls intercept and analyze incoming data packets
to determine whether they should be admitted to your private LAN, based on multiple criteria, or blocked.
Stateful inspection improves security by tracking data packets over a period of time, examining incoming and
outgoing packets. Outgoing packets that request specific types of incoming packets are tracked; only those
incoming packets constituting a proper response are allowed through the firewall.

The

high

setting is recommended, but for special circumstances, a

low

level of firewall protection is available.

You can also turn all firewall protection

off

. Defaults to

low

.

set security spi icmp downstream-echo-rqst-drop [ on | off ]

If enabled all ICMP echo requests coming from the Internet will be dropped.

set security spi unknown-ethertypes-drop [ on | off ]

Enables or disables whether packets with unknown ether types are to be dropped. Default is

on

.

set security spi portscan-protect [ on | off ]

Enables or disables whether to detect and drop port scans. Default is

on

.

set security spi invalid-tcp-flags-drop [ on | off ]

Enables or disables whether packets with invalid TCP flag settings (NULL, FIN, Xmas, etc.) are to be dropped.
Default is

on

.

set security spi ip4 invalid-addr-drop [ on | off ]

Broad sets of addresses exist that should not be used as one or both of source or destination addresses. These
include the following:

IP address/mask

Source or destination

10.0.0.0/8

source

192.168.0.0.0/16

source

169.254.0.0/16

source

172.16.0.0/12

source

224.0.0.0/4

Source / destination

224.0.0.0/5

Source / destination

0.0.0.0/8

Source / destination

255.255.255.255

destination

See also other documents in the category ARRIS Routers: