D-Link DFL-260E User Manual page 519

13.2. TCP Level Settings
Chapter 13. Advanced Settings
TCP sequence number validation is only possible on connections tracked by the state-engine (not on
packets forwarded using a FwdFast rule).
Possible values are:
Ignore - Do not validate. Means that sequence number validation is completely turned off.
ValidateSilent - Validate and pass on.
ValidateLogBad - Validate and pass on, log if bad.
ValidateReopen - Validate reopen attempt like normal traffic; validate and pass on.
ValidateReopenLog - Validate reopen attempts like normal traffic; validate, log if bad.
ReopenValidate - Do not validate reopen attempts at all; validate and pass on.
ReopenValidLog - Do not validate reopen attempts at all; validate, log if bad.
Default: ValidateLogBad
Notes on the TCPSequenceNumbers setting
The default ValidateLogBad (or the alternative ValidateSilent) will allow the de-facto behavior of
TCP re-open attempts, meaning that they will reject re-open attempts with a previously used
sequence number.
ValidateReopen and ValidReopenLog are special settings giving the default behavior found in older
NetDefendOS versions where only re-open attempts using a sequence number falling inside the
current (or last used) TCP window will be allowed. This is more restrictive than
ValidateLogBad/ValidateSilent, and will block some valid TCP re-open attempts. The most
significant impact of this will be that common web-surfing traffic (short but complete transactions
requested from a relatively small set of clients, randomly occurring with an interval of a few
seconds) will slow down considerably, while most "normal" TCP traffic will continue to work as
usual.
Using either ValidateReopen or ValidateReopenLog is, however, not recommended since the same
effect can be achieved by disallowing TCP re-open attempts altogether. These settings exist mostly
for backwards compatibility.
ReopenValidate and ReopenValidLog are less restrictive variants than ValidateLogBad or
ValidateSilent. Certain clients and/or operating systems might attempt to use a randomized sequence
number when re-opening an old TCP connection (usually out of a concern for security) and this may
not work well with these settings. Again, web-surfing traffic is most likely to be affected, although
the impact is likely to occur randomly. Using these values instead of the default setting will
completely disable sequence number validation for TCP re-open attempts. Once the connection has
been established, normal TCP sequence number validation will be resumed.
Allow TCP Reopen
Allow clients to re-open TCP connections that are in the closed state.
Default: Disabled
519