feature provides a stateful firewall which tracks the state of connections routed through the filter, allowing one to easily and precisely restrict traffic.
The default policy of a firewall determines whether it drops or accepts connections by default. Cipafilter
ships with the
set to ACCEPT . This mode is acceptable if the filter is in bridging mode
behind another firewall. However, if the filter is the firewall for your network, we recommend setting
to DROP . The DROP policy, while giving you specific control of the traffic passing
through the firewall, will require the creation of rules for any traffic that you wish to allow through the
firewall. Tech support will be happy to assist you with the creation of appropriate rules for your
setting is an additional checkbox to
Enable SIP ALG
. SIP is a protocol best
known for its use in VoIP telephones, and ALG (application-layer gateway) is a feature that inspects and modifies SIP traffic to work with NAT (network address translation). On some networks, this feature can cause problems for VoIP devices, and can be turned off. It is enabled by default.
Firewall rule configuration is similar to that of port forwards:
specifies how the firewall should respond when the rule is triggered.
allows the traffic
blocks the traffic and notifies the client, and
blocks the traffic without notifying the client.
specifies which network protocol the rule applies to. See
specifies the destination port number(s) the rule applies to. See
specifies how sources (clients) will be identified. See
specifies the value used to identify sources (clients) which corresponds to the selected
is equivalent to
, but for the destination of the traffic to be blocked or
is equivalent to
, but for the destination of the traffic to be blocked or allowed.
controls connection logging for the rule. See
. Note that logging firewall rules
can have an even more significant performance impact than logging port forwards (especially with
rules, since each dropped packet is logged as a new connection).
The firewall is fully integrated with the port-forwarding system. Make firewall rules using the
actual private IP addresses of your internal devices, not the public IP addresses from which traffic is being port-forwarded.
Connections are only matched against the firewall when they are first opened. If you change the
firewall, any established connections will remain open even if the new firewall rules prohibit them.
feature does not apply to the Cipafilter itself, only to the traffic flowing
through it. In practice, this means rules usually apply only to traffic between two different subnets (since
devices on the same subnet can communicate directly). The filter automatically adjusts its own input
firewall based on the configuration of the system to ensure proper operation.
If you are experiencing a problem with ICMP traffic, enable the
and select the types of
ICMP packets you wish to let through.
Always allow ICMP fragmentation-needed packets. These packets are required by Path MTU
Discovery. If fragmentation-needed packets are blocked, you may experience problems where you can transmit small amounts of data over a connection, but large amounts cause the connection to hang.