User's Manual
Table Of Contents
- Choose a Computer and Connection Type
- Ethernet Connection
- Wireless Connection
- USB to PC Connection
- Connecting to VDSL via CoAX
- Setting Up IPTV
- Gateway (System) Pages
- Broadband Link Pages
- Home Network Pages
- Firewall Pages
- Accessing the Management and Diagnostic Console
- System Summary Page
- Broadband Link - Summary Page
- Broadband Link - Statistics Page
- Broadband Link - Configuration Page
- Local Network - Status Page
- Local Network - Statistics Page
- Local Network - Device List Page
- Local Network - Wireless Settings Page
- Local Network - Configuration Page
- Enabling Router Behind Router Alert
- Local Network - Address Allocation Page
- Local Network - Configure the MoCA Network Page
- Local Network - MoCA Statistics Page
- Firewall - Settings Page
- Firewall - Detailed Information Page
- Firewall - Advanced Settings Page
- Troubleshooting - DSL Diagnostics Page
- Troubleshooting - Event Log Page
- Troubleshooting - Network Tests Page
- Troubleshooting - Upgrade History Page
- Troubleshooting Resets Page
- Advanced - Syslog Settings Page
- Advanced - Provisioning Info Page
- Advanced - Configure Time Services Page
- Advanced - Configure Services Page
- Advanced - DNS Resolve Page
- Advanced - Link Manager States Page
- Advanced - Detailed Log Page
- Step 1: Enable Public Network Mode
- Step 2: Allocate Public IP Addresses to the LAN Clients
- Step 3: Configure Firewall Rules
- Sample Configuration
- LED overview
Gateway User Interface
30
• Strict UDP Session Control. Enabling this feature provides increased security by preventing the 2Wire
gateway from accepting packets sent from an unknown source over an existing connection. The ability
to send traffic based on destination only is required by some applications. Enabling this feature may not
allow some on-line applications to work properly.
Allowing Inbound and Outbound Traffic
The Inbound and Outbound Control pane displays some common protocol types. When one of the Inbound
protocol boxes is checked, the firewall allows the corresponding protocol to pass through from the Internet
to the network. If one of the Outbound protocol boxes is checked, the firewall allows the traffic from the
network to pass through the firewall to the Internet.
Note: If you configure the firewall to block an Inbound protocol, you may disable support for
hosted applications that require that type of protocol.
Disabling Attack Detection
By default, the 2Wire gateway firewall rules block the attack types listed in the Attack Detection pane. There
are some applications and devices that require the use of specific data ports through the firewall. The
gateway allows users to open the necessary ports through the firewall using the Firewall Settings page. If
the user requires that a computer have all incoming traffic available to it, this computer can be set to the
DMZplus mode. While in DMZplus mode, the computer is still protected against numerous broadband
attacks (for example, SYN Flood or Invalid TCP flag attacks).
In rare cases, the incoming traffic may be inadvertently blocked by the firewall (for example, when
integrating with external third-party firewalls or VPN servers). You may need to disable one or more of the
attack detection capabilities for any device placed in the DMZplus. In this case, the third-party server
provides the attack protection normally provided by the gateway.
Following are the attacks for which the gateway firewall filters continuously checks.
• Excessive Session Detection. When enabled, the firewall will detect applications on the local network
that are creating excessive sessions out to the Internet. This activity is likely due to a virus or “worm”
infected computer (for example, Blaster Worm). When the event is detected, the gateway displays a
HURL warning page.
• TCP/UDP Port Scan. A port scan is a series of messages sent by someone attempting to break into a
computer to learn which computer network services, each associated with a well-known port number
(such as UDP and TCP), the computer provides. When enabled, the firewall detects UDP and TCP port
scans, and drops the packet.
• Invalid Source/Destination IP address. When enabled, the firewall will verify IP addresses by checking
for the following:
− IP source address is broadcast or multicast — drop packet.
− TCP destination IP address is not unicast — drop packet.
− IP source and destination address are the same — drop packet.
− Invalid IP source received from private/home network — drop packet.