LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall
124
Firewall
route" are also suppressed, so that the LANCOM cannot be found, neither by
"ping" nor by "trace rout e".
Possible settings are:
Off: ICMP answers are not blocked.
Always: ICMP answers are always blocked.
WAN only: ICMP answers are blocked on all WAN connections.
Default route only: ICMP answers are blocked on default route (usually
Internet).
TCP Stealth mode
Apart from ICMP messages, also the behaviour in case of TCP and UDP con-
nections gives information on the existence or non-existence of the addressed
workstation. Depending on the surrounding network it can be useful to simply
reject TCP and UDP packets instead of answering with a TCP RESET resp. an
ICMP message (port unreachable), if no listener for the respective port exists.
The desired behaviour can be adjusted in the LANCOM.
If ports without listener are hidden, this generates a problem on
masked connections, since the "authenticate" - resp. "ident" service
does no longer function properly (resp. do no longer correctly reject).
The appropriate port can so be treated separately (’Mask authentica-
tion port’ →page 124).
Possible settings are:
Off: All ports are closed and TCP packets are answered with a TCP reset.
Always: All ports are hidden and TCP packets are silently discarded.
WAN only: On the WAN side all ports are hidden and on the LAN side
closed.
Default route only: Ports are hidden on the default route (usually Inter-
net) and closed on all other routes.
Mask authentication port
When TCP or UDP ports are hidden, inquiries of mail servers to authenticate
users can no more be answered correctly. Inquiries of the servers run into a
timeout, and delivery of mails will be considerably delayed.
Also when the TCP Stealth mode is activated, the Firewall detects the intention
of a station in the LAN to establish a connection to a mail server. As a result,