Port Forwarding; Protecting Against A Syn Flood Attack; Viewing A List Of Firewalls - Siemens RX1500 User Manual

RUGGEDCOM ROX II
User Guide
Section 5.17.1.4

Port Forwarding

Port forwarding, also known as redirection, allows traffic coming from the Internet to be sent to a host behind the
NAT gateway.
Previous examples have described the NAT process when connections are made from the intranet to the Internet.
In those examples, addresses and ports were unambiguous.
When connections are attempted from the Internet to the intranet, the NAT gateway will have multiple hosts on
the intranet that could accept the connection. It needs additional information to identify the specific host to accept
the connection.
Suppose that two hosts, 192.168.1.10 and 192.168.1.20 are located behind a NAT gateway having a public
interface of 213.18.101.62. When a connection request for http port 80 arrives at 213.18.101.62, the NAT
gateway could forward the request to either of the hosts (or could accept it itself). Port forwarding configuration
could be used to redirect the requests to port 80 to the first host.
Port forwarding can also remap port numbers. The second host may also need to answer http requests. As
connections to port 80 are directed to the first host, another port number (such as 8080) can be dedicated to the
second host. As requests arrive at the gateway for port 8080, the gateway remaps the port number to 80 and
forwards the request to the second host.
Port forwarding also takes the source address into account. Another way to solve the above problem could be
to dedicate two hosts 200.0.0.1 and 200.0.0.2 and have the NAT gateway forward requests on port 80 from
200.0.0.1 to 192.168.1.10 and from 200.0.0.2 to 192.168.1.20.
Section 5.17.1.5

Protecting Against a SYN Flood Attack

ROX II responds to SYN packets according to the TCP standard by replying with a SYN-ACK packet for open
ports and an RST packet for closed ports. If the device is flooded by a high frequency of SYN packets, the port
being flooded may become unresponsive.
To prevent SYN flood attacks on closed ports, set the firewall to block all traffic to closed ports. This prevents
SYN packets from reaching the kernel.
Siemens also recommends setting the listen ports to include IP addresses on separate interfaces. For example,
set the device to listen to an IP address on switch.0001 and fe-cm-1. This will make sure that one port is
accessible if the other is flooded.
Section 5.17.2

Viewing a List of Firewalls

To view a list of firewalls, navigate to security » firewall » fwconfig. If firewalls have been configured, the
Firewall Description table appears.
Port Forwarding
Chapter 5
Setup and Configuration
369