Nat Pinhole Commands; Security Stateful Packet Inspection (Spi) Commands - Motorola NVG510 Administrator's Handbook

NAT Pinhole commands

NAT pinholes let you pass specific types of network traffic through the NAT interfaces on the Motorola Gateway.
NAT pinholes allow you to route selected types of network traffic, such as FTP requests or HTTP (Web) connec-
tions, to a specific host behind the Motorola Gateway transparently.
To set up NAT pinholes, you identify the type(s) of traffic you want to redirect by port number, and you specify the
internal host to which each specified type of traffic should be directed.
The following list identifies protocol type and port number for common TCP/IP protocols:
N FTP (TCP 21)
N telnet (TCP 23)
N SMTP (TCP 25),
N TFTP (UDP 69)
set pinhole name name protocol [ tcp | udp ]
Specifies the identifier for the entry in the Gateway's pinhole table. You can name pinhole table entries sequen-
tially (1, 2, 3), by port number (21, 80, 23), by protocol, or by some other naming scheme. Specifies the type of
protocol being redirected.
set pinhole name name ext-port-range [ 0 - 49151 ]
Specifies the first and last port number in the range being translated.
set pinhole name name int-addr ipaddr
Specifies the IP address of the internal host to which traffic of the specified type should be transferred.
set pinhole name name int-start-port [ 0 - 65535 ]
Specifies the port number your Motorola Gateway should use when forwarding traffic of the specified type. Under
most circumstances, you would use the same number for the external and internal port.

Security Stateful Packet Inspection (SPI) commands

set security firewall-level [ low | high | off ]
All computer operating systems are vulnerable to attack from outside sources, typically at the operating system or
Internet Protocol (IP) layers. Stateful Inspection firewalls intercept and analyze incoming data packets to deter-
mine whether they should be admitted to your private LAN, based on multiple criteria, or blocked. Stateful inspec-
tion improves security by tracking data packets over a period of time, examining incoming and outgoing packets.
Outgoing packets that request specific types of incoming packets are tracked; only those incoming packets consti-
tuting a proper response are allowed through the firewall.
The high setting is recommended, but for special circumstances, a low level of firewall protection is available. You
can also turn all firewall protection off. Defaults to low.
set security spi invalid-address-drop [ on | off ]
Enables or disables whether Broadband packets with invalid source or destination addresses should be dropped.
Default is on.
set security spi unknown-ethertypes-drop [ on | off ]
Enables or disables whether packets with unknown ether types are to be dropped. Default is on.
121