TCP-UDP

TCP ensures control of data during their transfer. Its role is to check that IP packets sent are received in good order, without any loss of changes integrity-wise.

UDP may replace TCP in the event of minor problems, as it ensures a more fluid transfer since it does not control each of the transmission stages. For example, it is suitable for streaming applications (audio/video broadcast) for which packet loss is not vital. Indeed, during these transmissions, lost packets are ignored.

Profiles screen

“IPS-Connection”

Inspection

Impose MSS limit

This option allows you to set an MSS (Maximum Segment Size) limit for the inspection of the profile.

NOTE

MSS refers to the amount of data in bytes that a computer or any other communication device can contain in a single unfragmented packet.

 

If this option is selected, you will enable the following field, which would allow you to set your limit.

MSS limit (in bytes)

Define your MSS limit, between 100 and 65535 bytes.

Rewrite TCP sequences with strong random values (arc4)

If this option is selected, TCP sequence numbers generated by the client and server will be overwritten and replaced with the Stormshield Network intrusion prevention engine, which will produce random sequence numbers.

Enable protection from repeated sending of ACK packets

If this option is selected, you are protecting yourself from session hijacking or “ACK” attacks.

Enable automatic adjustment of memory allocated to data tracking If this option is selected, you will be allowing the firewall to dynamically adjust the memory allocated to data tracking. The maximum value of dynamically allocated memory is equal to the size of the TCP window divided by the MSS limit. When this checkbox is selected, the maximum value becomes 256.

Protection against denial of service attacks

Maximum number of simultaneous connections for a source host (0 disables protection)

This option allows restricting the number of simultaneous connections for a single source host. When the selected value is 0, no restrictions will be applied.

WARNING

Choosing a number that is too low may prevent certain applications from running or web pages from displaying.

Maximum number of new connections for a source host in the interval defined (0 disables protection)

This option allows restricting the number of new connections initialed by a source host within a defined interval. When the selected value is 0, no restrictions will be applied.

WARNING

Choosing a number that is too low may prevent certain applications from running or web pages from displaying.

Interval during which new connections are limited

Define the reference interval to calculate the number of new connections allowed for each source host. This value has to be between 1 and 3600 seconds.

Timeout (in seconds)

Connection opening timeout (SYN)

Maximum time, in seconds, allowed to fully establish the TCP connection (SYN / SYN+ACK / ACK). It has to be between 10 and 60 (default value: 20 seconds).

TCP connection

Maximum time, in seconds, the state of an idle connection is kept (default value: 1800 seconds).

UDP connection

Maximum time, in seconds, the state of an idle UDP pseudo-connection is kept. It has to be between 30 and 3600 (default value: 120 seconds).

Connection closing timeout (FIN)

Maximum time, in seconds, allowed for the TCP connection closing phase (FIN+ACK / ACK / FIN+ACK / ACK). This value has to be between 10 and 3600 seconds (default value: 480 seconds).

Closed connections

Number of seconds a closed connection (closed state) is kept in the connection table. It has to be between 10 and 60 seconds (default value: 2 seconds).

Small TCP window

To avoid Denial of Service attacks, the counter determine the lifetime of a connection with a small TCP window (lower than 100 byte). This counter is reset when the first small window announcement is received.

If no new message is received to increase the window size before this counter expires, the TCP connection will be closed.

Support

Disable the SYN proxy

If this option is selected, you will no longer be protected from “SYN” attacks, as the proxy will no longer filter packets.

We advise you to disable this option for debug purposes only.