====== Security Settings ====== ===== Security Profiles ===== The Internet Gate has three freely configurable [[firewall:security profiles]]: * [[web GUI:security profile|Hi]] - protect LAN from WAN, limit outgoing traffic to web surf and e-mail * [[web GUI:security profile|Lo]] - same protection of LAN from WAN as in Hi, but allow all outgoing traffic * [[web GUI:security profile|AC]] - by default same protection as Hi {{ :web_gui:security_page.png?227|Security page in rel 5.31}} Even though all three profiles are freely configurable you should leave profiles Hi and Lo unchanged and apply your changes to profile AC. With three security profiles you can easily and instantly change firewall security level using the **ALT** button on the front of the unit, if you for instance want to temporarily open up firewall to allow through a certain program or game. You can change active profile on the Security Settings page, the [[main menu]] or using the **ALT** button. You can edit any [[web GUI:security profile]] by clicking on it. :?: Most problems involving traffic not getting through the firewall can be solved by changing to security profile Lo. :!: Even though security profile Lo is called "low" it still offers the same security as Hi against incoming packets from the Internet. It is only the rules for packets going out //to// the Internet that have less limitations. ===== Resource Allocation ===== The firewall in Internet Gate uses [[firewall:flows]] to be able to stateful inspect data streams. It can handle thousands of simultaneous data streams through the firewall. In extreme cases you still might need to adjust the amount of flows available for the firewall and LAN clients. ==== Flows ==== The firewall in Internet Gate uses [[firewall:flows]] to be able to stateful inspect data streams. Each new data stream to be inspected uses one flow to track what state the data stream is in. Once the data stream is closed the flow is returned for new usage (after a small timeout). **In use** shows how many flows are used by the firewall right now (or actually: when you opened the web page - to see the up-to-date value, click refresh on your browser). **Peak** shows the absolute highest number of flows ever used since Internet Gate was turned on. **Total** is the number of flows reserved, available to be used by the firewall. The default value depends on the amount of memory the unit has, 4000 or 10000 flows. If no Total value is visible (field empty) default value is 4000. If the Peak value approaches the Total value you are recommended to increase the Total value, click on Apply, [[:settings and administration:apply and save permanently|save permanently]] and reboot. Total is recommended to be set to at least 1000 more than Peak. For instance if Peak is 3600 and Total is 4000 you are recommended to increase Total to for example 5000. However, flows consume memory and resources in your Internet Gate. Having reserved too many flows may reduce overall performance. ==== Flow Quotas ==== During heavy load, when most flows are already in use, the remaining free flows should be rationed out to LAN hosts (PC-s) most needing them. In some cases, for example when running certain BitTorrent or other peer-to-peer applications, one host can use thousands of data streams requiring thousands of flows to get through the firewall. Without flow quotas they might use up all flows, leaving other LAN hosts unable to connect to the Internet. Flow Quotas limit the maximum amount of flows one single LAN host can use. For example if flows total is set to 4000 and flow quotas are set to 1000 then no LAN host is allowed to use more than 4000 - 1000 = 3000 flows. :!: As long as there are enough unused flows flow quotas are inactive: any LAN host may open any number of flows they desire. If there are less than the entered flow quota number of flows left, flow quotas become activated. If a LAN host already have more than flow quota flows and requests to open a new one it will be denied. Applications running on that host then receive no answer from the remote host. If the number of flows used drops below any of the thresholds (the global or the per host) then new flows are allowed to be created again. === QoS === Flow Quotas only limit regular flows going through the firewall (flows created by firewall command MODIFY on the WAN interface). Flows used by SIP and flows to extra WAN interfaces are not affected. Thus even if a host already have maximum amount of flows open placing a SIP call will still be able to open additional flows. === Special scenarios === The default flow quotas settings suit most users. There are however some special scenarios that might require changing the settings: == Single user == If there is only one host behind the Internet Gate, that host should be able to use //all// flows. In such case set the **If less than** value to 0. == Strict Quotas == In some cases, for example if running an Internet café, you want to make sure each LAN host gets the same amount of flows. For example if you have 10 hosts on the LAN then each should have 400 flows guaranteed. In such case set the **If less than** value to same as **Total**, and the **allow max** value to Total divided by the number of LAN hosts.