Re: [BUGTRAQ] : ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS

[Dean Shih <dshih () zyxel com tw>]

In-Reply-To: <20020617171357.GA728 () fast net>

Dear Friends,

This is a ZyXEL technical support engineer. We got you report from our 
custom.To avoid internal user to access Prestige, the administrator has to 
add a extra filter rule to block destination IP= Prestige IP.

Assuem that Prestige LAN IP = 192.168.1.1 WAN IP = 200.1.1.1
The filter rule should be looked like this in Menu 21:

# A Type         Filter Rules                          M m n

 - - ---- --------------------------------------------------------
  1 Y IP   Pr=6, SA=0.0.0.0, DA=192.168.1.1, DP=21     N D N
  2 Y IP   Pr=6, SA=0.0.0.0, DA=192.168.1.1, DP=23     N D N
  3 N IP   Pr=6, SA=0.0.0.0, DA=200.1.1.1, DP=21       N D N
  4 N IP   Pr=6, SA=0.0.0.0, DA=200.1.1.1, DP=23       N D F

Rule 1 and 2, block access to LAN IP.
Rule 3 and 4, block access to WAN IP.

And then apply this filter rule in Menu 3.1 Input Protocol Filter.

For our new model, such as P643 and P5650 series, there is a feature 
named "Remote Management Control" in SMT Menu 24.11. Remote Management 
Control is for telnet, web and ftp service in Prestige. You can customize 
the service port, access interface and the secured client ip address to 
enhance the security and flexibility. We have to say sorry that P642 will 
not support this function due to lack of memory size.

                     Menu 24.11 - Remote Management Control

  TELNET Server:
     Server Port = 23     Server Access = Disable/ ALL/ LAN only/ WAN only
     Secured Client IP = 192.168.1.33

  FTP Server:
     Server Port = 21                   Server Access = Disable
     Secured Client IP = 0.0.0.0

   Web Server:
     Server Port = 80                   Server Access = LAN only
     Secured Client IP = 0.0.0.0