9 firewall diagnosis – Lancom Systems LCOS 3.50 User Manual

̈

Chapter 8: Firewall

LANCOM Reference Manual LCOS 3.50

151

Fi

rew

a

ll

send at the same time an email to the administrator, then the description of
the object for the action reads as follows:

̈

This description permits traffic (%a) at the beginning. A simple %a at the
beginning of the description is equivalent to a %lp0%a (= accept, if the
limit was exceeded on zero packets, i.e. with the first packet).

̈

If over the current connection now 8 kbit (%lcds8) is transferred in one
second, then all further packets - up to the expiration of the second - will
be silently discarded (%d), thus automatically creating a Traffic Shaping.

̈

If 100 packets for the server (destination address of the connection) arrive
(%lgbs100) in one second, then the remote host (source address) is
locked for 10 minutes (%h10), and an email is sent to the administrator
(%m) .

Similar to the address and service objects of the object table, action objects
can be provided with a name, and can arbitrarily be combined recursively,
whereby the maximum recursion depth is limited to 16. In addition, they can
be entered directly into the action field of the rule table.

When building the actual filter table, action objects get minimized similarly to
the address and service objects to the smallest necessary number, i.e. multiple
definitions of an action get eliminated, and contradictory actions are turned
into the "safest". Thus e.g. %a (accept) and %d (drop) becomes only %d, and
%r

(reject) and %d becomes %r.

8.3.9

Firewall diagnosis

All events, conditions and connections of the Firewall can be logged and
monitored in detail.

The most comfortable inspection is accomplished by displaying the logging
table (see below) with LANmonitor. LANmonitor displays under ’Firewall’ the