D-Link NetDefendOS User Manual page 857

Default: DropLog
TCP NULL
Specifies how NetDefendOS will deal with TCP packets that do not have any of the SYN, ACK, FIN
or RST flags turned on. According to the TCP standard, such packets are illegal and are used by
both OS Fingerprinting and stealth port scanners, as some firewalls are unable to detect them.
Default: DropLog
TCP Sequence Numbers
Determines if the sequence number range occupied by a TCP segment will be compared to the
receive window announced by the receiving peer before the segment is forwarded.
TCP sequence number validation is only possible on connections tracked by the state-engine
(not on packets forwarded using a FwdFast rule).
Possible values are:
• Ignore - Do not validate. Means that sequence number validation is completely turned off.
• ValidateSilent - Validate and pass on.
• ValidateLogBad - Validate and pass on, log if bad.
• ValidateReopen - Validate reopen attempt like normal traffic; validate and pass on.
• ValidateReopenLog - Validate reopen attempts like normal traffic; validate, log if bad.
• ReopenValidate - Do not validate reopen attempts at all; validate and pass on.
• ReopenValidLog - Do not validate reopen attempts at all; validate, log if bad.
Default: ValidateLogBad
Notes on the TCPSequenceNumbers setting
The default ValidateLogBad (or the alternative ValidateSilent) will allow the de-facto behavior of
TCP re-open attempts, meaning that they will reject re-open attempts with a previously used
sequence number.
ValidateReopen and ValidReopenLog are special settings giving the default behavior found in
older NetDefendOS versions where only re-open attempts using a sequence number falling
inside the current (or last used) TCP window will be allowed. This is more restrictive than
ValidateLogBad/ValidateSilent, and will block some valid TCP re-open attempts. The most
significant impact of this will be that common web-surfing traffic (short but complete
transactions requested from a relatively small set of clients, randomly occurring with an interval
of a few seconds) will slow down considerably, while most "normal" TCP traffic will continue to
work as usual.
Using either ValidateReopen or ValidateReopenLog is, however, not recommended since the same
effect can be achieved by disallowing TCP re-open attempts altogether. These settings exist
mostly for backwards compatibility.
ReopenValidate and ReopenValidLog are less restrictive variants than ValidateLogBad or
ValidateSilent. Certain clients and/or operating systems might attempt to use a randomized
sequence number when re-opening an old TCP connection (usually out of a concern for security)
and this may not work well with these settings. Again, web-surfing traffic is most likely to be
affected, although the impact is likely to occur randomly. Using these values instead of the
default setting will completely disable sequence number validation for TCP re-open attempts.
Once the connection has been established, normal TCP sequence number validation will be
resumed.
857
Chapter 13: Advanced Settings