Table of Contents
Advertisement
Digi Connect WAN Family web interface
Request Retries Per DNS Server: Specifies the number of retries using the same DNS server,
n
for a specific DNS client request that is retried (retransmitted) by the DNS client. There is
always one "try" but the number of retries is configurable.
For new client requests received when the request cache is full:
Specifies how to handle new client requests when the maximum number of client request
entries is already being serviced (the request cache is full). There are two choices for this
option:
Replace the Least Recently Used (LRU) client request with the new request: Remove the
least recently used entry from the cache, and add an entry for the new client request.
Discard (ignore) new requests until some existing requests have expired:
Silently discard the new client request, and do this for all future new requests until one or more
entries have expired and been removed from the request cache.
Network Port Scan Cloaking
The Network Port Scan Cloaking feature allows you to configure this Digi device to ignore (discard)
received packets for services that are hidden or not enabled and network ports that are not open.
Malicious software on the Internet may scan IP addresses, protocols, and ports to try to gain access
to hosts. You can use the Network Port Scan Cloaking feature to prevent sending responses to the
originator for ping and for TCP and UDP ports that do not have an associated service. The default
operation is that, when a TCP connection request is received for a port that is not open/bound, the
Digi device will send a TCP reset reply to inform the originator that the service is not available.
Similarly, the default operation when a UDP datagram is received for a port that is not open/bound,
the Digi device will send an ICMP port unreachable packet to inform the originator that the service is
not available. For the DNS Proxy feature, you can configure specific network interfaces to ignore
(discard) requests that are received from that interface, without otherwise acting on them.
These actions, which are common behaviors in accordance with established protocol standards,
effectively inform the originator that it has found a valid IP destination. The originator may continue to
probe other ports to gain access to the Digi device. In addition, such reply packets may have a
monetary cost for mobile network services such as cellular or WiMAX. Enabling the cloaking feature
can help manage both the port scanning threat and reduce overall data costs.
You can configure your Digi device to activate cloaking on a global basis, as well as for individual
network interfaces that are available on your Digi device. By enabling the cloak for individual protocols
and interfaces, you prevent the possibility of sending reply packets to the originator under the
conditions described above.
Note
If you enable cloaking on a global basis for a particular protocol, that selection overrides the
selections for the interface-specific settings. For example, enabling cloaking for ping in the global
group, overrides a disabled selection for the eth0 (Ethernet) interface.
Enable Network Port Scan Cloaking: Enables the Network Port Scan Cloaking feature on this
n
Digi device.
Scan Cloaking: Ping: Enables/disables cloaking for ping requests. Replies will not be sent for
n
received ping requests.
Scan Cloaking: TCP: Enables/disables cloaking for TCP connection requests for which no
n
service is available.
Digi Connect WAN Family User Guide
Configuration through the web interface
75
Advertisement
Table of Contents
