Firewall
BAT54-Rail/F..
Release
7.54
06/08
8.3
The BAT Firewall
267
U TCP Stealth mode
Apart from ICMP messages, also the behavior in case of TCP and UDP con-
nections gives information on the existence or non-existence of the ad-
dressed workstation. Depending on the surrounding network it can be useful
to simply reject TCP and UDP packets instead of answering with a TCP RE-
SET resp. an ICMP message (port unreachable), if no listener for the respec-
tive port exists. The desired behavior can be adjusted in the BAT.
Note: If ports without listener are hidden, this generates a problem on
masked connections, since the "authenticate" - resp. "ident" service does
no longer function properly (resp. do no longer correctly reject). The ap-
propriate port can so be treated separately (’Mask authentication port’
→ page 267).
Possible settings are:
D Off: All ports are closed and TCP packets are answered with a TCP reset.
D Always: All ports are hidden and TCP packets are silently discarded.
D WAN only: On the WAN side all ports are hidden and on the LAN side
closed.
D Default route only: Ports are hidden on the default route (usually Inter-
net) and closed on all other routes.
U Mask authentication port
When TCP or UDP ports are hidden, inquiries of mail servers to authenticate
users can no more be answered correctly. Inquiries of the servers run into a
timeout, and delivery of mails will be considerably delayed.
Also when the TCP Stealth mode is activated, the Firewall detects the inten-
tion of a station in the LAN to establish a connection to a mail server. As a
result, the needed port will be opened for a short time (20 seconds) solely for
the authentication inquiry.
This behavior of the Firewall in TCP Stealth mode can be suppressed specif-
ically with the parameter “Always mask authentication port, too“.
Note: The activation of the option “Mask authentication port“ can lead to con-
siderable delays for the dispatch and receipt of e. g. emails or news!
A mail or a news server, which requests any additional information from the
user with the help of this service, runs first into a disturbing timeout, before it
begins to deliver the mails. This service needs thus its own switch to hide
and/or to hold it “conformingly”.
The problem thereby is however that a setting, which hides all ports, but re-
jects the ident port is unreasonable - alone by the fact that rejecting the ident
port would make the BAT visible.
To Next Page
Loading...
