some additional infomation about the actual addresses or ports is present in the packet payload,
which is not known for the NAT procedures, as they only look at the IP, UDP and TCP headers, not
inside the packets. For these protocols to work correctly, a connection tracking helper is needed to
work around such design issues. You may enable and disable helpers here (you may want to disable
some of them to increase performance or if you are experiencing problems with some protocols
detected incorrectly). Note that you can not add or remove the helpers, just enable or disable the
existing ones.
Property Description
name - protocol name
ports ( integer ) - port range that is used by the protocol (only some helpers need this)
General Firewall Information
Description
ICMP TYPE:CODE values
In order to protect your router and attached private networks, you need to configure firewall to drop
or reject most of ICMP traffic. However, some ICMP packets are vital to maintain network
reliability or provide troubleshooting services.
The following is a list of ICMP TYPE:CODE values found in good packets. It is generally
suggested to allow these types of ICMP traffic.
•
• 8:0 - echo request
• 0:0 - echo reply
Ping
•
• 11:0 - TTL exceeded
• 3:3 - Port unreachable
Trace
•
• 3:4 - Fragmentation-DF-Set
Path MTU discovery
General suggestion to apply ICMP filtering
• Allow ping—ICMP Echo-Request outbound and Echo-Reply messages inbound
• Allow traceroute—TTL-Exceeded and Port-Unreachable messages inbound
• Allow path MTU—ICMP Fragmentation-DF-Set messages inbound
• Block everything else
Page 472 of 695
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
To Next Page
Loading...
General