The firewall rules is setup in the incoming direction. There is no firewall rule in the outgoing direction, so packets are free to go outside from the device. (The “device” here means IP Surveillance itself)
IP
Filter
This function is setup by IP_FILTER_STATE, IP_FILTER_TYPE and IP_FILTER_RULE, packets
that matches the rule specified in IP_FILTER_RULE will follow the action (DENY
or ALLOW) in IP_FILTER_TYPE.
The
ALLOW packets then will go filtered by Default Firewall Rules.
I. Default rule filters out (drop) multicast packet (224.0.0.0/4).
II. Default rule filters out the following abnormal TCP packets.
A. port scanning packets (NMAP FIN/URG/PSH)
B. Xmas Tree packet
C. Null Scan (TCP flag field with all bits off)
D. SYN/RST
E. SYN/FIN (Scan possibly)
III. Stateful firewall allows the packet belong to established connections to pass through firewall.
IV. Port-Limit:
Allows HTTP(80), HTTPS(443), ACTI-TCP2.0(6001,6002), FTP(20,21), SSH(22) and RTSP(7070) ports to connect-in (listening on device) with Rate-Limit.
Allows SNMP(161,162) UDP packets.
V. Rate-Limit:
Only allows at most 35 new TCP connection requests (SYN) in every second.
VI. Default rule drops all the rest packets which not matched the above rule.