FreshTomato Wiki

User Tools

Site Tools

Trace:
advanced-firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
advanced-firewall [2024/11/10 20:25] – [Firewall] hogwildadvanced-firewall [2024/11/27 00:42] (current) – [Multicast] hogwild
Line 8: Line 8:
 {{:pasted:20220118-182859.png}} \\ {{:pasted:20220118-182859.png}} \\
  
- \\ **WAN interfaces respond to ping and traceroute:  **lets your device reply to ping/traceroute request packets from Internet hosts. This is needed for //ping //and //traceroute to //work via the Internet. Enabling this also may be needed for proper functioning of some VPN and IPv6 protocols.+ \\ **WAN interfaces respond to ping and traceroute:  **lets your device reply to ping/traceroute request packets from Internet hosts. 
 + 
 +This is needed for //ping //and //traceroute to //work via the Internet. It also may be needed for proper functioning of some VPN or IPv6 protocols.
  
  \\  \\
  
-**Limit communication to: **specifies the maximum number of requests per second to which the Firewall replies. Setting a limit is recommended to prevent DDoS attacks.\\   \\   \\ {{:pasted:20220118-183317.png}}\\+**Limit communication to: **specifies the maximum number of requests per second to which the Firewall replies. 
 + 
 +Setting a limit is recommended to prevent DDoS attacks.\\   \\   \\ {{:pasted:20220118-183317.png}}\\
  
  \\  \\
  
-**Enable TCP SYN cookies:  **uses "SYN cookies" to protect the router from SYN Flood attacks. It encodes information from the SYN packet into the (SYN/ACK) response. It is a standard method for preventing SYN floods. However, it has limitations that may cause issues with some old TCP/IP stacks.+**Enable TCP SYN cookies:  **uses "SYN cookies" to protect the router from SYN Flood attacks. 
 + 
 +It encodes information from the SYN packet into the (SYN/ACK) response. It is a standard method for preventing SYN floods. However, it has limitations that may cause issues with some old TCP/IP stacks.
  
  \\  \\
Line 26: Line 32:
 **Allow DHCP Spoofing: **makes FreshTomato accept/process packets from DHCP servers with different IP than the one it advertises. **Allow DHCP Spoofing: **makes FreshTomato accept/process packets from DHCP servers with different IP than the one it advertises.
  
-Such behaviour is often categorized as a DHCP spoofing attack, but rarely, might be legitimate. Enabling this lowers network security.\\  \\+Such behaviour is often categorized as a DHCP spoofing attack, but rarely, might be legitimate. Using this lowers security.\\  \\
  
 **Smart MTU black hole detection:** this feature detects ICMP black holes and smartly tries to adjust the path MTU. **Smart MTU black hole detection:** this feature detects ICMP black holes and smartly tries to adjust the path MTU.
Line 35: Line 41:
 ===== NAT ===== ===== NAT =====
  
-**NAT loopback:** lets LAN devices access each other via the router's WAN interface. Also known as "Hairpinning", it's often used when connecting to the DDNS domain of your router via the LAN. These days, this setting is almost never needed. Also, it can create speed bottlenecks.+**NAT loopback:** lets LAN devices access each other via the router's WAN interface. 
 + 
 +Also known as "Hairpinning", it's often used when connecting to the DDNS domain of your router via the LAN. These days, this setting is almost never needed. Also, it can create speed bottlenecks.
  
  \\  \\
Line 49: Line 57:
 \\ \\
  
-**NAT target: **defines how NAT is implemented in loopback situations. Masquerade is the default, but involves an additional lookup, and the mapping is done towards an interface. SNAT is minutely faster, as its NAT mapping points directly to the destination IP and thus bypasses the lookup stage. However, SNAT is less reliable than Masquerade.+**NAT target: **defines how NAT is implemented in loopback situations. 
 + 
 +Masquerade is the default, but involves an additional lookup, and the mapping is done towards an interface. SNAT is minutely faster, as its NAT mapping points directly to the destination IPthus bypassing the lookup stage. However, SNAT is less reliable than Masquerade.
  
  \\  \\
Line 71: Line 81:
  \\  \\
  
-**Enable quick leave:** this IGMPv2 feature lets the router stop multicasting to an IP when the device sends a "quick leave" packet.+**Enable quick leave:** this IGMPv2 feature lets the router stop multicasting to an IP that has sent it a "quick leave" packet.
  
  \\  \\
  
-**Custom Configuration:** lets you set advanced parameters for the IGMP proxy daemon. Consult official documentation first.\\   \\+**Custom Configuration:** lets you configure advanced settings for the IGMP proxy daemon. Consult official documentation.\\   \\
  
  \\ {{:pasted:20220118-190050.png}}\\  \\  \\ {{:pasted:20220118-190050.png}}\\  \\
  
-**Enable Udpxy: **like IGMP proxy, Udpxy lets devices on different VLANs to do multicast communications. Since they are similar, use one or the other, but not both at once.+**Enable Udpxy: **like IGMP proxy, this lets devices on different VLANs do multicast communications. 
 + 
 +Since they are similar, use one or the other, but not both at the same time.
  
  \\  \\
  
-**Upstream interface** here, enter the expected stream source location. (Default: blank).+**Upstream interface**here, enter the expected stream source location. 
 + 
 +(Default: blank).
  
  \\  \\
  
-**LAN0/LAN1/LAN2/LAN3** - specifies the location streaming clients are expected to be found.+**LAN0/LAN1/LAN2/LAN3** - specifies the location streaming clients should be found.
  
  \\  \\
  
-**Enable client statistics** -causes FreshTomato to collect statistics about Udpxy clients.+**Enable client statistics:** causes FreshTomato to collect statistics about Udpxy clients.
  
  \\  \\
  
-**Max clients: **the maximum number of simultaneous Udpxy clients. Since Udpxy is is a lightweight protocol, it works well for a limited number of clients. Therefore, you might want to impose a maximum limit.+**Max clients: **the maximum number of simultaneous Udpxy clients. 
 + 
 +Udpxy is is a lightweight protocol, so it works well for a limited number of clients. You might want to set a maximum limit.
  
  \\  \\
Line 111: Line 127:
  \\  \\
  
-**Force IGMPv2** IGMPv2 enhances IGMP with additional messages/behavior to optimize end-to-end client-server communication. Probably the most important one is the "Leave Group" message. When a host wants to stop listening to a multicast group address, it reports to the router that it has stopped listening. In v1, the host simply stopped listening, without informing the router.+**Force IGMPv2**forces IGMPv2 to be used on the network. 
 + 
 +IGMPv2 enhances IGMP with additional messages/behavior to optimize end-to-end client-server communication. Probably the most important one is the "Leave Group" message. When a host wants to stop listening to a multicast group address, it reports to the router that it has stopped listening. In v1, the host simply stopped listening, without informing the router.
  
  \\  \\
advanced-firewall.1731270355.txt.gz · Last modified: 2024/11/10 20:25 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki