̈ Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50
123
Firewall
̈ Route: Fragmented packets are passed on without any further checking
by the Firewall, as long as permitted by valid filter settings.
̈ Re-assemble: Fragmented packets are buffered and re-assembled to
complete IP packets. The re-assembled packets will then be checked and
treated according to the valid filter settings.
Session recovery
The Firewall enters all actual permitted connections into the connection list.
Entries disappear automatically from the connection list after a certain time
(timeout), when no data has been transmitted over this connection any more
re-triggering the timeout.
Sometimes connections are ended according to the general TCP aging set-
tings, before data packets requested by an inquiry have been received by the
remote station. In this case perhaps an entry for a permitted connection still
exists in the connection list, but the connection itself is no more existing.
The parameter “Session recovery” determines the behaviour of the Firewall for
packets that indicate a former connection:
̈ Always denied: The Firewall re-establishes the session under no circum-
stances and discards the packet.
̈ Denied for default route: The Firewall re-establishes the session only if
the packet wasn’t received via the default route (e.g. Internet).
̈ Denied for WAN: The Firewall re-establishes the session only if the
packet wasn’t received over one of the WAN interfaces.
̈ Always allowed: The Firewall re-establishes the connection in principle
if the packet belongs to a former connection of the connection list.
Ping blocking
One - not undisputed - method to increase security is hiding the router. Based
loosely on the method: “Who doesn’t see me neither tries to attack me...”.
Many attacks begin with the searching for workstations and/or open ports by
actual harmless inquiries, e. g. with the help of the “ping” command or with
a portscan. Each answer to these inquiries, even the answer “I’m not here”
indicates to the attacker that he has found a potential destination. Because
anybody who answers must be existing, too. In order to prevent this conclu-
sion, the LANCOM is able to suppress the answers to these inquiries.
In order to achieve this, the LANCOM can be instructed not to answer ICMP
echo requests any more. At the same time TTL-exceeded messages of a "trace