Cradlepoint IBR600 User Manual page 63

User Manual / IBR600/IBR650
ZONE FORWARDING
Forwardings define how Filter Policies affect traffic
flowing between zones in one direction. Simply
configure the Source Zone, Destination Zone, and
Filter Policy to define a Forwarding. Forwardings can
be Added, Edited, Removed, or Toggled. Toggling a
Forwarding will either enable or disable the Forwarding.
Source and Destination zones are chosen from the list
of Zone Definitions. In addition, two special zones can
be selected for forwarding endpoints:
• The All zone will match any traffic handled by the router and is used as an endpoint for IP Filter
Rules migrated from previous firmware versions. User editable zones are preferred when adding new
forwardings.
• The Router zone will match any traffic initialized from or directed to router services and can be used
to filter router service traffic. An example of traffic initialized by a router service would be the ECM
Management service. An example of traffic destined to a router service would be the SNMP service.
OPTIONS
Firewall Options
• Anti-Spoof: Anti-Spoof checks help protect against malicious users faking the source address in packets
they transmit in order to either hide themselves or to impersonate someone else. Once the user has
spoofed their address they can launch a network attack without revealing the true source of the attack or
attempt to gain access to network services that are restricted to certain addresses.
• Log Web Access: Enable this option to create a syslog record of web (IP port 80) access. Each entry will
contain the the IP address of the server and the client. Note that this may create a lot of log entries,
especially on a busy network. Sending the system log to a syslog server is recommended.
Application Gateways
Enabling an application gateway makes pinholes thru the firewall. This may be required for some applications
to function, or for an application to improve functionality or add features.
NOTE: Exercise caution in enabling application gateways as they impact the security of your network.
• PPTP: For virtual private network access using Point to Point Tunneling Protocol.
• SIP: For Voice over IP using Session Initiation Protocol.
• TFTP: Enables file transfer using Trivial File Transfer Protocol.
• FTP: To allow normal mode when using File Transfer Protocol. Not needed for passive mode.
• IRC: For Direct Client to Client (DCC) transfer when using Internet Relay Chat. You may wish to forward TCP
port 113 for incoming identd (RFC 1413) requests.
DMZ (Demilitarized Zone)
A DMZ host is effectively not firewalled in the sense that any computer on the Internet may attempt to
remotely access network services at the DMZ IP address. Typical uses involve running a public web server,
supporting older games, or sharing files.
NOTE: As with port forwarding, caution should be used when enabling the DMZ feature as it can threaten the
security of your network.
©2015 Cradlepoint. All Rights Reserved.
11/5/15
| +1.855.813.3385 | cradlepoint.com
63