Filter
Top Products
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers 215
RouterOS v3 Configuration and User Guide
9.3.6 General Firewall Information
Description
ICMP TYPE:CODE values
In order to protect your router and attached private networks, you need to configure firewall to drop or
reject most of ICMP traffic. However, some ICMP packets are vital to maintain network reliability or
provide troubleshooting services.
The following is a list of ICMP TYPE:CODE values found in good packets. It is generally suggested to
allow these types of ICMP traffic.
• Ping
8:0 - echo request
0:0 - echo reply
• Trace
11:0 - TTL exceeded
3:3 - Port unreachable
• Path MTU discovery
3:4 - Fragmentation-DF-Set
General suggestion to apply ICMP filtering:
• Allow ping—ICMP Echo-Request outbound and Echo-Reply messages inbound
• Allow traceroute—TTL-Exceeded and Port-Unreachable messages inbound
• Allow path MTU—ICMP Fragmentation-DF-Set messages inbound
• Block everything else
Type of Service
Internet paths vary in quality of service they provide. They can differ in cost, reliability, delay and
throughput. This situation imposes some tradeoffs, exempli gratia the path with the lowest delay may be
among the ones with the smallest throughput. Therefore, the "optimal" path for a packet to follow
through the Internet may depend on the needs of the application and its user.
As the network itself has no knowledge on how to optimize path choosing for a particular application or
user, the IP protocol provides a method for upper layer protocols to convey hints to the Internet Layer
about how the tradeoffs should be made for the particular packet. This method is implemented with the
help of a special field in the IP protocol header, the "Type of Service" field.
The fundamental rule is that if a host makes appropriate use of the TOS facility, its network service
should be at least as good as it would have been if the host had not used this facility.
Type of Service (ToS) is a standard field of IP packet and it is used by many network applications and
hardware to specify how the traffic should be treated by the gateway.
RouterOS works with the full ToS byte. It does not take account of reserverd bits in this byte (because
they have been redefined many times and this approach provides more flexibility). It means that it is
possible to work with DiffServ marks (Differentiated Services Codepoint, DSCP as defined in RFC2474)
and ECN codepoints (Explicit Congestion Notification, ECN as defined in RFC3168), which are using the
same field in the IP protocol header. Note that it does not mean that RouterOS supports DiffServ or
ECN, it is just possible to access and change the marks used by these protocols.
RFC1349 defines these standard values:
• normal - normal service (ToS=0)
• low-cost - minimize monetary cost (ToS=2)
• max-reliability - maximize reliability (ToS=4)
• max-throughput - maximize throughput (ToS=8)
• low-delay - minimize delay (ToS=16)
Peer-to-Peer protocol filtering
Peer-to-peer protocols also known as p2p provide means for direct distributed data transfer between
individual network hosts. While this technology powers many brilliant applications (like Skype), it is