Security Settings

The Internet Gate has three freely configurable security profiles:

• Hi - protect LAN from WAN, limit outgoing traffic to web surf and e-mail
• Lo - same protection of LAN from WAN as in Hi, but allow all outgoing traffic
• AC - by default same protection as Hi

Even though all three profiles are freely configurable you should leave profiles Hi and Lo unchanged and apply your changes to profile AC.

With three security profiles you can easily and instantly change firewall security level using the ALT button on the front of the unit, if you for instance want to temporarily open up firewall to allow through a certain program or game.

You can change active profile on the Security Settings page, the main menu or using the ALT button.

You can edit any security profile by clicking on it.

Most problems involving traffic not getting through the firewall can be solved by changing to security profile Lo.

Even though security profile Lo is called “low” it still offers the same security as Hi against incoming packets from the Internet. It is only the rules for packets going out to the Internet that have less limitations.

The firewall in Internet Gate uses flows to be able to stateful inspect data streams. It can handle thousands of simultaneous data streams through the firewall. In extreme cases you still might need to adjust the amount of flows available for the firewall and LAN clients.

The firewall in Internet Gate uses flows to be able to stateful inspect data streams. Each new data stream to be inspected uses one flow to track what state the data stream is in. Once the data stream is closed the flow is returned for new usage (after a small timeout).

In use shows how many flows are used by the firewall right now (or actually: when you opened the web page - to see the up-to-date value, click refresh on your browser).

Peak shows the absolute highest number of flows ever used since Internet Gate was turned on.

Total is the number of flows reserved, available to be used by the firewall. The default value depends on the amount of memory the unit has, 4000 or 10000 flows. If no Total value is visible (field empty) default value is 4000.

If the Peak value approaches the Total value you are recommended to increase the Total value, click on Apply, save permanently and reboot.

Total is recommended to be set to at least 1000 more than Peak. For instance if Peak is 3600 and Total is 4000 you are recommended to increase Total to for example 5000.

However, flows consume memory and resources in your Internet Gate. Having reserved too many flows may reduce overall performance.

During heavy load, when most flows are already in use, the remaining free flows should be rationed out to LAN hosts (PC-s) most needing them. In some cases, for example when running certain BitTorrent or other peer-to-peer applications, one host can use thousands of data streams requiring thousands of flows to get through the firewall. Without flow quotas they might use up all flows, leaving other LAN hosts unable to connect to the Internet.

Flow Quotas limit the maximum amount of flows one single LAN host can use. For example if flows total is set to 4000 and flow quotas are set to 1000 then no LAN host is allowed to use more than 4000 - 1000 = 3000 flows.

As long as there are enough unused flows flow quotas are inactive: any LAN host may open any number of flows they desire.

If there are less than the entered flow quota number of flows left, flow quotas become activated. If a LAN host already have more than flow quota flows and requests to open a new one it will be denied. Applications running on that host then receive no answer from the remote host.

If the number of flows used drops below any of the thresholds (the global or the per host) then new flows are allowed to be created again.

Flow Quotas only limit regular flows going through the firewall (flows created by firewall command MODIFY on the WAN interface). Flows used by SIP and flows to extra WAN interfaces are not affected. Thus even if a host already have maximum amount of flows open placing a SIP call will still be able to open additional flows.

The default flow quotas settings suit most users. There are however some special scenarios that might require changing the settings:

If there is only one host behind the Internet Gate, that host should be able to use all flows. In such case set the If less than value to 0.

In some cases, for example if running an Internet café, you want to make sure each LAN host gets the same amount of flows. For example if you have 10 hosts on the LAN then each should have 400 flows guaranteed. In such case set the If less than value to same as Total, and the allow max value to Total divided by the number of LAN hosts.