Kyocera KR2 User Manual page 28

TCP Endpoint Filtering
Controls endpoint filtering for packets of the TCP protocol.
Formerly, the terms "Full Cone", "Restricted Cone", "Port Restricted Cone" and
"Symmetric" were used to refer to different variations of NATs. These terms are
purposely not used here, because they do not fully describe the behavior of this router's
NAT. While not a perfect mapping, the following loose correspondences between the
"cone" classification and the "endpoint filtering" modes can be drawn: if this router is
configured for endpoint independent filtering, it implements full cone behavior; address
restricted filtering implements restricted cone behavior; and port and address restricted
filtering implements port restricted cone behavior.
NAT Port Preservation
NAT Port preservation (on by default) tries to ensure that, when a LAN host makes an
Internet connection, the same LAN port is also used as the Internet visible port. This
ensures best compatibility for internet communications.
Under some circumstances it may be desirable to turn off this feature.
Anti-Spoof checking
Enabling this option can provide protection from certain kinds of "spoofing" attacks.
However, enble this option with care. With some modems, the WAN connection may be
lost when this option is enabled. In that case, it may be necessary to change the LAN
subnet to something other than 192.168.0.x (192.168.2.x, for example), to re-establish
the WAN connection.
DMZ Host
DMZ means "Demilitarized Zone." If an application has trouble working from behind the
router, you can expose one computer to the Internet and run the application on that
computer.
When a LAN host is configured as a DMZ host, it becomes the destination for all
incoming packets that do not match some other incoming session or rule. If any other
ingress rule is in place, that will be used instead of sending packets to the DMZ host; so,
an active session, virtual server, active port trigger, or gaming rule will take priority over
sending a packet to the DMZ host. (The DMZ policy resembles a default gaming rule that
forwards every port that is not specifically sent anywhere else.)
The router provides only limited firewall protection for the DMZ host. The router does not
forward a TCP packet that does not match an active DMZ session, unless it is a
connection establishment packet (SYN). Except for this limited protection, the DMZ host
is effectively "outside the firewall". Anyone considering using a DMZ host should also
consider running a firewall on that DMZ host system to provide additional protection.
Packets received by the DMZ host have their IP addresses translated from the WAN-side
IP address of the router to the LAN-side IP address of the DMZ host. However, port
numbers are not translated; so applications on the DMZ host can depend on specific port
numbers.
28 of 72