D-Link Forums

D-Link FAQ => Router FAQs => FAQs => Topic started by: P01arBear on October 03, 2009, 09:29:31 PM

Title: Firewall questions
Post by: P01arBear on October 03, 2009, 09:29:31 PM
Hi folks,

I have a few questions maybe some of you with more wisdom could give some info about;

1) I understand that the DIR-655 has a double firewall wich is NAT and SPI. Now, I don't know if you guys have ever heard about Alphashield, but I was wondering if these firewalls act like it. I do have the Alphashield wich I used to place between my modem and router (with my older D-Link router...). The Alphashield is a hardware firewall that blocks by default all 65,535 ports. The only way it open's a port is if you request it from an inbound application, if something comes from outbound while not requested, then it is blocked. Now, the question is; Does the DIR-655 act the same way?
*Alphashield (http://alphashield.com/php/AlphaShield.php?osCsid=21a200ae3034cedc2fe91a94cb30d36e)
1.2) If the answer to the first question is no then -> If I want to add a DNS-323 storage unit to my network, is there a way I can block all ports towards the DNS-323 EXEPT the ports for FTP (20-21)?

2) I've read the FAQ but don't fully understand, maybe someone could explain the firewall fonctions of "NAT Endpoint Filtering" (what is the differance between Port And Address Restricted/Address Restricted/Endpoint Independent) and "Anti-Spoof checking"?

Thanks, appreciate it.  8)
Title: Re: Few security questions...
Post by: EddieZ on October 04, 2009, 06:14:03 AM
NAT Endpoint Filtering
The NAT Endpoint Filtering options control how the router's NAT manages incoming connection requests to ports that are already being used.

Endpoint Independent
Once a LAN-side application has created a connection through a specific port, the NAT will forward any incoming connection requests with the same port to the LAN-side application regardless of their origin. This is the least restrictive option, giving the best connectivity and allowing some applications (P2P applications in particular) to behave almost as if they are directly connected to the Internet.

Address Restricted
The NAT forwards incoming connection requests to a LAN-side host only when they come from the same IP address with which a connection was established. This allows the remote application to send data back through a port different from the one used when the outgoing session was created.

Port And Address Restricted
The NAT does not forward any incoming connection requests with the same port address as an already establish connection.

Note that some of these options can interact with other port restrictions. Endpoint Independent Filtering takes priority over inbound filters or schedules, so it is possible for an incoming session request related to an outgoing session to enter through a port in spite of an active inbound filter on that port. However, packets will be rejected as expected when sent to blocked ports (whether blocked by schedule or by inbound filter) for which there are no active sessions. Port and Address Restricted Filtering ensures that inbound filters and schedules work precisely, but prevents some level of connectivity, and therefore might require the use of port triggers, virtual servers, or Gaming to open the ports needed by the application. Address Restricted Filtering gives a compromise position, which avoids problems when communicating with certain other types of NAT router (symmetric NATs in particular) but leaves inbound filters and scheduled access working as expected.

UDP Endpoint Filtering
Controls endpoint filtering for packets of the UDP protocol.

TCP Endpoint Filtering
Controls endpoint filtering for packets of the TCP protocol.

For anti spoof checking go and read http://en.wikipedia.org/wiki/Arp_spoofing
Title: Re: Few security questions...
Post by: P01arBear on October 04, 2009, 09:19:49 AM
Well, I would have liked a less "technical" explanation :-\ since this is a bit what was written in the FAQ of D-Link but, I guess I understand the main usage.

Now correct me if I'm wrong, but either NAT Endpoint Filtering or SPI firewall sort of act like the Alphashield, right? If you don't request data, then the router will not open ports and leave data coming in unless you set a virtual server up? (as asked in first question).