Creating A Custom Tcp/Udp Service - D-Link NetDefendOS User Manual

An important parameter associated with a service is Max Sessions. This parameter is given a
default value when the service is associated with an ALG. The default value varies according
to the ALG it is associated with. If the default is, for example 100, this would mean that only
100 connections are allowed in total for this service across all interfaces.
For a service involving, for example, an HTTP ALG the default value can often be too low if
there are large numbers of clients connecting through the NetDefend Firewall. It is therefore
recommended to consider if a higher value is required for a particular scenario.
Specifying All Services
When setting up rules that filter by services it is possible to use the service object called
all_services to refer to all protocols. However, using this is not recommended and specifying a
narrower service provides better security.
If, for example, the requirement is only to filter using the principal protocols of TCP, UDP and
ICMP then the service group all_tcpudpicmp can be used instead.
Tip: The http-all service does not include DNS
A common mistake is to assume that the predefined service http-all includes the DNS
protocol. It does not so the predefined service dns-all is usually also required for most
web surfing. This could be included in a group with http-all and then associated with
the IP rules that allow web surfing.
Restrict Services to the Minimum Necessary
When choosing a service object to construct a policy such as an IP rule, the protocols included in
that object should be as few as necessary to achieve the traffic filtering objective. Using the
all_services object may be convenient but removes any security benefits that a more specific
service object could provide.
The best approach is to narrow the service filter in a security policy so it allows only the protocols
that are absolutely necessary. The all_tcpudpicmp service object is often a first choice for general
traffic but even this may allow many more protocols than are normally necessary and the
administrator can often narrow the range of allowed protocols further.
Example 3.16. Creating a Custom TCP/UDP Service
This example shows how to add a TCP/UDP service, using destination port 3306, which is used by
MySQL:
Command-Line Interface
gw-world:/> add Service ServiceTCPUDP MySQL
Web Interface
1. Go to: Objects > Services > Add > TCP/UDP service
DestinationPorts=3306
Type=TCP
170
Chapter 3: Fundamentals