D-Link NetDefendOS User Manual page 169

Tip: Specifying source ports
It is usual with many services that the source ports are left as their default value which is
the range 0-65535 (corresponding to all possible source ports).
With certain application, it can be useful to also specify the source port if this is always
within a limited range of values. Making the service definition as narrow as possible is
the recommended approach.
Other Service Properties
Apart from the basic protocol and port information, TCP/UDP service objects also have several
other properties:
• Forward ICMP Errors
If an attempt to open a TCP connection is made by a user application behind the NetDefend
Firewall and the remote server is not in operation, an ICMP error message is returned as the
response. Such ICMP messages are interpreted by NetDefendOS as new connections and will
be dropped unless an IP rule explicitly allows them.
The Allow ICMP errors for active connections property allows such ICMP messages to be
automatically passed back to the requesting application. In some cases, it is useful that the
ICMP messages are not dropped. For example, if an ICMP quench message is sent to reduce
the rate of traffic flow. On the other hand, dropping ICMP messages increases security by
preventing them being used as a means of attack.
• Enable IPv4 Path MTU Discovery
This can be enabled only if the Allow ICMP Errors property is enabled and permits the relaying
of path MTU discovery ICMP messages. This feature is discussed further in Section 3.3.7, "Path
MTU Discovery".
• SYN Flood Protection
This option allows a TCP based service to be configured with protection against SYN Flood
attacks. This option only exists for the TCP/IP service type.
For more details on how this feature works see Section 6.7.8, "TCP SYN Flood Attacks".
• ALG
A TCP/UDP service can be linked to an Application Layer Gateway (ALG) to enable deeper
inspection of certain protocols. This is the way that an ALG is associated with an IP rule. First,
associate the ALG with a service and then associate the service with an IP rule.
For more information on this topic see Section 6.2, "ALGs".
• Max Sessions
covered using a port definition specified as 135-139,445.
HTTP and HTTPS can be covered by specifying destination
ports 80,443.
169
Chapter 3: Fundamentals