Firewall
266
8.3
The BAT Firewall
BAT54-Rail/F..
Release
7.54
06/08
Sometimes connections are ended according to the general TCP aging set-
tings, before data packets requested by an inquiry have been received by the
remote station. In this case perhaps an entry for a permitted connection still
exists in the connection list, but the connection itself is no more existing.
The parameter “Session recovery” determines the behavior of the Firewall for
packets that indicate a former connection:
D Always denied: The Firewall re-establishes the session under no circum-
stances and discards the packet.
D Denied for default route: The Firewall re-establishes the session only if
the packet wasn’t received via the default route (e.g. Internet).
D Denied for WAN: The Firewall re-establishes the session only if the pack-
et wasn’t received over one of the WAN interfaces.
D Always allowed: The Firewall re-establishes the connection in principle
if the packet belongs to a former connection of the connection list.
U Ping blocking
One - not undisputed - method to increase security is hiding the router. Based
loosely on the method: “Who doesn’t see me neither tries to attack me...”.
Many attacks begin with the searching for workstations and/or open ports by
actual harmless inquiries, e. g. with the help of the “ping” command or with a
portscan. Each answer to these inquiries, even the answer “I’m not here” in-
dicates to the attacker that he has found a potential destination. Because
anybody who answers must be existing, too. In order to prevent this conclu-
sion, the BAT is able to suppress the answers to these inquiries.
In order to achieve this, the BAT can be instructed not to answer ICMP echo
requests any more. At the same time TTL-exceeded messages of a "trace
route" are also suppressed, so that the BAT cannot be found, neither by
"ping" nor by "trace route".
Possible settings are:
D Off: ICMP answers are not blocked.
D Always: ICMP answers are always blocked.
D WAN only: ICMP answers are blocked on all WAN connections.
D Default route only: ICMP answers are blocked on default route (usually
Internet).
To Next Page
Loading...
Need help?
General
