Manualshelf

User Manual

ManualsBrandsU-MEDIA Communications ManualsElectronics2.4GHz Wireless 802.11n(DRAFT) Router
41424344454647484950
40
Firewall Settings
Enable SPI
SPI ("stateful packet inspection" also known as "dynamic packet filtering") helps to prevent cyberattacks by
tracking more state per session. It validates that the traffic passing through that session conforms to the
protocol. When the protocol is TCP, SPI checks that packet sequence numbers are within the valid range for
the session, discarding those packets that do not have valid sequence numbers.
Whether SPI is enabled or not, the router always tracks TCP connection states and ensures that each TCP
packet's flags are valid for the current state.
NAT Endpoint Filtering
The NAT Endpoint Filtering options control how the router's NAT manages incoming connection requests to
ports that are already being used.
Endpoint Independent
Once a LAN-side application has created a connection through a specific port, the NAT will forward any
incoming connection requests with the same port to the LAN-side application regardless of their origin. This is
the least restrictive option, giving the best connectivity and allowing some applications (P2P applications in
particular) to behave almost as if they are directly connected to the Internet.
Address Restricted
The NAT forwards incoming connection requests to a LAN-side host only when they come from the same IP
address with which a connection was established. This allows the remote application to send data back
through a port different from the one used when the outgoing session was created.
Port And Address Restricted
The NAT does not forward any incoming connection requests with the same port address as an already
establish connection.
Note that some of these options can interact with other port restrictions. Endpoint Independent Filtering takes
priority over inbound filters or schedules, so it is possible for an incoming session request related to an
outgoing session to enter through a port in spite of an active inbound filter on that port. However, packets will
be rejected as expected when sent to blocked ports (whether blocked by schedule or by inbound filter) for
which there are no active sessions. Port and Address Restricted Filtering ensures that inbound filters and
schedules work precisely, but prevents some level of connectivity, and therefore might require the use of port
triggers, virtual servers, or port forwarding to open the ports needed by the application. Address Restricted
Filtering gives a compromise position, which avoids problems when communicating with certain other types of
NAT router (symmetric NATs in particular) but leaves inbound filters and scheduled access working as
expected.
UDP Endpoint Filtering
Controls endpoint filtering for packets of the UDP protocol.
TCP Endpoint Filtering
Controls endpoint filtering for packets of the TCP protocol.
Formerly, the terms "Full Cone", "Restricted Cone", "Port Restricted Cone" and "Symmetric" were used to
refer to different variations of NATs. These terms are purposely not used here, because they do not fully