Tip: Specifying source ports
It is usual with many services that the source ports are left as their default value which
is the range 0-65535 (corresponding to all possible source ports).
With certain application, it can be useful to also specify the source port if this is
always within a limited range of values. Making the service definition as narrow as
possible is the recommended approach.
Other Service Properties
Apart from the basic protocol and port information, TCP/UDP service objects also have several
other properties:
•
SYN Flood Protection
This option allows a TCP based service to be configured with protection against SYN Flood
attacks. This option only exists for the TCP/IP service type.
For more details on how this feature works see Section 6.6.8, “TCP SYN Flood Attacks”.
•
Pass ICMP Errors
If an attempt to open a TCP connection is made by a user application behind the NetDefend
Firewall and the remote server is not in operation, an ICMP error message is returned as the
response. Such ICMP messages are interpreted by NetDefendOS as new connections and will be
dropped unless an IP rule explicitly allows them.
The Pass returned ICMP error messages from destination option allows such ICMP
messages to be automatically passed back to the requesting application. In some cases, it is
useful that the ICMP messages are not dropped. For example, if an ICMP quench message is
sent to reduce the rate of traffic flow. On the other hand, dropping ICMP messages increases
security by preventing them being used as a means of attack.
•
ALG
A TCP/UDP service can be linked to an Application Layer Gateway (ALG) to enable deeper
inspection of certain protocols. This is the way that an ALG is associated with an IP rule. First,
associate the ALG with a service and then associate the service with an IP rule.
For more information on this topic see Section 6.2, “ALGs”.
•
Max Sessions
An important parameter associated with a service is Max Sessions. This parameter is allocated a
default value when the service is associated with an ALG. The default value varies according to
the ALG it is associated with. If the default is, for example 100, this would mean that only 100
connections are allowed in total for this service across all interfaces.
For a service involving, for example, an HTTP ALG the default value can often be too low if
there are large numbers of clients connecting through the NetDefend Firewall. It is therefore
recommended to consider if a higher value is required for a particular scenario.
Specifying All Services
When setting up rules that filter by services it is possible to use the service object called all_services
3.2.2. Creating Custom Services
Chapter 3. Fundamentals
88
Summary of Contents for DFL-1600 - Security Appliance
Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27 ...
Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79 ...
Page 146: ...3 9 DNS Chapter 3 Fundamentals 146 ...
Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227 ...
Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241 ...
Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339 ...
Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360 ...
Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382 ...
Page 386: ... The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386 ...
Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439 ...
Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450 ...
Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488 ...
Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503 ...
Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510 ...
Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533 ...