Allied Telesis AT-WR4500 manual General Firewall Information

9.3.6 General Firewall Information

Description

ICMP TYPE:CODE values

In order to protect your router and attached private networks, you need to configure firewall to drop or reject most of ICMP traffic. However, some ICMP packets are vital to maintain network reliability or provide troubleshooting services.

The following is a list of ICMP TYPE:CODE values found in good packets. It is generally suggested to allow these types of ICMP traffic.

•Ping

8:0 - echo request 0:0 - echo reply

•Trace

11:0 - TTL exceeded 3:3 - Port unreachable

•Path MTU discovery

3:4 - Fragmentation-DF-Set General suggestion to apply ICMP filtering:

•Allow ping—ICMP Echo-Request outbound and Echo-Reply messages inbound

•Allow traceroute—TTL-Exceeded and Port-Unreachable messages inbound

•Allow path MTU—ICMP Fragmentation-DF-Set messages inbound

•Block everything else

Type of Service

Internet paths vary in quality of service they provide. They can differ in cost, reliability, delay and throughput. This situation imposes some tradeoffs, exempli gratia the path with the lowest delay may be among the ones with the smallest throughput. Therefore, the "optimal" path for a packet to follow through the Internet may depend on the needs of the application and its user.

As the network itself has no knowledge on how to optimize path choosing for a particular application or user, the IP protocol provides a method for upper layer protocols to convey hints to the Internet Layer about how the tradeoffs should be made for the particular packet. This method is implemented with the help of a special field in the IP protocol header, the "Type of Service" field.

The fundamental rule is that if a host makes appropriate use of the TOS facility, its network service should be at least as good as it would have been if the host had not used this facility.

Type of Service (ToS) is a standard field of IP packet and it is used by many network applications and hardware to specify how the traffic should be treated by the gateway.

RouterOS works with the full ToS byte. It does not take account of reserverd bits in this byte (because they have been redefined many times and this approach provides more flexibility). It means that it is possible to work with DiffServ marks (Differentiated Services Codepoint, DSCP as defined in RFC2474) and ECN codepoints (Explicit Congestion Notification, ECN as defined in RFC3168), which are using the same field in the IP protocol header. Note that it does not mean that RouterOS supports DiffServ or ECN, it is just possible to access and change the marks used by these protocols.

RFC1349 defines these standard values:

•normal - normal service (ToS=0)

•low-cost- minimize monetary cost (ToS=2)

•max-reliability- maximize reliability (ToS=4)

•max-throughput- maximize throughput (ToS=8)

•low-delay- minimize delay (ToS=16)

Peer-to-Peer protocol filtering

Peer-to-peer protocols also known as p2p provide means for direct distributed data transfer between individual network hosts. While this technology powers many brilliant applications (like Skype), it is