Icmp Services - D-Link NetDefend DFL-210 User Manual

3.2.3. ICMP Services

Application Layer Gateways
Max Sessions
An important parameter associated with a service is Max Sessions. This parameter is allocated a
default value when the service is associated with an ALG. The default value varies according to the
ALG it is associated with. If the default is, for example 100, this would mean that only 100
connections are allowed in total for this service across all interfaces.
For a service involving, for example, an HTTP ALG the default value can often be too low if there
are large numbers of clients connecting through the NetDefend Firewall. It is therefore
recommended to consider if a higher value is required for a particular scenario.
Specifying All Services
When setting up rules that filter by services it is possible to use the service object called all_services
to refer to all protocols. If, for example, the requirement is only to filter on the principal protocols of
TCP, UDP and ICMP then the service group all_tcpudpicmp can be used instead.
Restrict Services to the Minimum Necessary
When choosing a service object to construct a policy such as an IP rule, the protocols included in
that object should be as few as necessary to achieve the traffic filtering objective. Using the
all_services object may be convenient but removes any security benefits that a more specific service
object could provide.
The best approach is to narrow the service filter in a security policy so it allows only the protocols
that are absolutely necessary. The all_tcpudpicmp service object is often a first choice for general
traffic but even this may allow many more protocols than are normally necessary and the
administrator can often narrow the range of allowed protocols further.
3.2.3. ICMP Services
Internet Control Message Protocol (ICMP), is a protocol integrated with IP for error reporting and
transmitting control information. The PING service, for example, uses ICMP to test an Internet
connectivity.
ICMP messages are delivered in IP packets, and includes a Message Type that specifies the type,
that is, the format of the ICMP message, and a Code that is used to further qualify the message. For
example, the message type Destination Unreachable, uses the Code parameter to specify the exact
reason for the error.
The ICMP message types that can be configured in NetDefendOS are listed as follows:
• Echo Request: sent by PING to a destination in order to check connectivity.
• Destination Unreachable: the source is told that a problem has occurred when delivering a
packet. There are codes from 0 to 5 for this type:
• Code 0: Net Unreachable
• Code 1: Host Unreachable
server is not in operation, an ICMP error message is returned
as the response. These ICMP errors can either be ignored or
allowed to pass through, back to the requesting application.
A TCP/UDP service can be linked to an Application Layer
Gateway (ALG) to enable deeper inspection of certain
protocols. For more information see Section 6.2, "ALGs".
83
Chapter 3. Fundamentals