Table of Contents
Advertisement
traffic passing through that session conforms to the protocol. When the protocol
is TCP, SPI checks that packet sequence numbers are within the valid range for
the session, discarding those packets that do not have valid sequence numbers.
Whether SPI is enabled or not, the router always tracks TCP connection states
and ensures that each TCP packet's flags are valid for the current state.
NAT Endpoint Filtering
The NAT Endpoint Filtering options control how the router's NAT manages incoming
connection requests to ports that are already being used.
Endpoint Independent
Once a LAN-side application has created a connection through a specific port,
the NAT will forward any incoming connection requests with the same port to
the LAN-side application regardless of their origin. This is the least restrictive
option, giving the best connectivity and allowing some applications (P2P
applications in particular) to behave almost as if they are directly connected to
the Internet.
Address Restricted
The NAT forwards incoming connection requests to a LAN-side host only when
they come from the same IP address with which a connection was established.
This allows the remote application to send data back through a port different
from the one used when the outgoing session was created.
Port And Address Restricted
The NAT does not forward any incoming connection requests with the same
port address as an already establish connection.
Note that some of these options can interact with other port restrictions. Endpoint
Independent Filtering takes priority over inbound filters or schedules, so it is possible
for an incoming session request related to an outgoing session to enter through a
port in spite of an active inbound filter on that port. However, packets will be rejected
as expected when sent to blocked ports (whether blocked by schedule or by inbound
filter) for which there are no active sessions. Port and Address Restricted Filtering
ensures that inbound filters and schedules work precisely, but prevents some level of
connectivity, and therefore might require the use of port triggers, virtual servers, or
port forwarding to open the ports needed by the application. Address Restricted
Filtering gives a compromise position, which avoids problems when communicating
with certain other types of NAT router (symmetric NATs in particular) but leaves
inbound filters and scheduled access working as expected.
UDP Endpoint Filtering
Controls endpoint filtering for packets of the UDP protocol.
TCP Endpoint Filtering
Controls endpoint filtering for packets of the TCP protocol.
DMZ Host
DMZ means "Demilitarized Zone." If an application has trouble working from behind
51
Advertisement
Table of Contents
