Motorola WiNG 5.4.2 System Reference Manual page 484

8 - 10 WiNG 5.4.2 Access Point System Reference Guide
16. Refer to the General
Enable Proxy ARP
DHCP Broadcast to
Unicast
L2 Stateful Packet
Inspection
IPMAC Conflict Enable
IPMAC Conflict Logging
IPMAC Conflict Action
IPMAC Routing Conflict
Enable
IPMAC Routing Conflict
Logging
IPMAC Routing Conflict
Action
DNS Snoop Entry
Timeout
IP TCP Adjust MSS
TCP MSS Clamping
Max Fragments/
Datagram
Max Defragmentations/
Host
Min Length Required
IPv4 Virtual
Defragmentation
field to enable or disable the following Firewall parameters:
Select the radio button to allow the Firewall Policy to use Proxy ARP responses for this
policy on behalf of another device. Proxy ARP allows the Firewall to handle ARP routing
requests for devices behind the Firewall. This feature is enabled by default.
Select the radio button to enable the conversion of broadcast DHCP offers to unicast.
Converting DHCP broadcast traffic to unicast traffic can help reduce network traffic
loads.This feature is disabled by default.
Select the radio button to enable stateful packet inspection for routed interfaces within
the Layer 2 Firewall. This feature is enabled by default.
Select this option to log and act upon detected IPMAC conflicts. These occur when
removing a device from the network and attaching another using the same IP address.
When enabled, use the drop-down menu to set the logging level (Error, Warning,
Notification, Information or Debug) if an attack is detected. The default setting is
Warning.
Use the drop-down menu to set the action taken when an attack is detected. Options
include Log Only, Drop Only or Log and Drop. The default setting is Log and Drop.
Select this option to enable IPMAC Routing Conflict detection. This is also known as a
Hole-196 attack in the network. This feature helps to detect if the client is sending routed
packets to the correct MAC address.
Select enable logging for IPMAC Routing Conflict detection. This feature is enabled by
default and set to Warning.
Use the drop-down menu to set the action taken when an attack is detected. Options
include Log Only, Drop Only or Log and Drop. The default setting is Log and Drop.
Select this option and set a timeout, in seconds, for DNS Snoop Entry. DNS Snoop Entry
stores information such as Client to IP Address and Client to Default Gateway(s) and uses
this information to detect if the client is sending routed packets to a wrong MAC address.
Select this option and adjust the value for the maximum segment size (MSS) for TCP
segments on the router. Set a value between 472 bytes and 1,460 bytes to adjust the MSS
segment size. The default value is 472 bytes.
Select this option to enable TCP MSS Clamping. TCP MSS Clamping allows configuration
for the maximum segment size of packets at a global level.
Set a value for the maximum number of fragments (from 2 - 8,129) allowed in a datagram
before it is dropped. The default value is 140 fragments.
Set a value for the maximum number of defragmentations, from 1 - 16,384 allowed per
host before it is dropped. The default value is 8.
Select this option and set a minimum length, from 8 bytes - 1,500 bytes, to enforce a
minimum packet size before being subject to fragment based attack prevention.
Select this option to enable IPv4 Virtual Defragmentation, this helps prevent IPv4
fragments based attacks, such as tiny fragments or large number of ipv4 fragments.