ZyXEL Communications 2WG User Manual

ZyWALL 2WG Support Notes

All contents copyright (c) 2006 ZyXEL Communications Corporation.

233

(C) To resolve this conflict, we add an option for users to allow/disallow such Triangle Route topology

in both CI command and Web configurator. You can issue this command, "sys firewall ignore triangle all

on", to allow firewall bypass triangle route checking. In Web GUI, you can find this option in firewall

setup page.

But we would like to notify that if you allow Triangle Route, any traffic will be easily injected into the

protected network through the unprotected gateway. In fact, it's a security hole in your protected network.

B15. How can I protect against IP spoofing attacks?

The ZyWALL's firewall will automatically detect the IP spoofing and drop it if the firewall is turned on.

If the firewall is not turned on we can configure a filter set to block the IP spoofing attacks. The basic

scheme is as follows:

For the input data filter:

•

Deny packets from the outside that claim to be from the inside

•

Allow everything that is not spoofing us

Filter rule setup:

•

Filter type =TCP/IP Filter Rule

•

Active =Yes

•

Source IP Addr =a.b.c.d

•

Source IP Mask =w.x.y.z

•

Action Matched =Drop

•

Action Not Matched =Forward

Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask:

For the output data filters:

•

Deny bounce back packet

•

Allow packets that originate from us

Filter rule setup:

•

Filter Type =TCP/IP Filter Rule

•

Active =Yes

•

Destination IP Addr =a.b.c.d