̈ Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50
121
Firewall
ICMP connections
For ICMP two cases must be differentiated: The ICMP request/reply connec-
tions, like to be used with "ping", and the ICMP error messages, which can be
received as an answer to any IP packet.
ICMP request/reply connections can be clearly assigned to the identifier used
by the initiator, i.e. in the status database an entry will be provided with the
sending of an ICMP request, which lets through only ICMP replies with the
correct identifier. All other ICMP replies will get discarded silently.
In ICMP error messages, the IP header and the first 8 bytes of the IP packet
(on behalf UDP or TCP headers) can be found within the ICMP packet. With
the help of this information, the receipt of an ICMP error message triggers
automatically the search for the accessory entry in the status database. The
packet passes only if such an entry exists, otherwise it is discarded silently.
Additionally, potentially dangerous ICMP error messages (redirect route) are
filtered out.
Connections of other protocols
For all other protocols no related connections can be followed up, i.e. with
them only a connection between involved hosts can occur in the status data-
base. These can be initiated also only from one side, unless, in the port filter
Firewall exists a dedicated entry for the "opposite direction".
8.3.3 General settings of the Firewall
Apart from individual Firewall rules, which ensure the entries in the filter, con-
nection and block lists, some settings apply generally to the Firewall:
̈ Firewall/QoS enabled
̈ Default VPN rules (→page 122)
̈ Administrator email (→page 122)
̈ Fragments (→page 122)
̈ Re-establishing of the session (→page 123)
̈ Ping blocking (→page 123)
̈ Stealth mode(→page 124)
̈ Mask authentication port (→page 124)
Firewall/QoS enabled
This option switches on or off the entire Firewall, including Quality of Service
functions.