Tcprf, Tcpnull, Tcpsequencenumbers – D-Link DFL-2500 User Manual

Specifies how NetDefendOS will deal with TCP packets with either the Xmas or Ymas flag turned
on. These flags are currently mostly used by OS Fingerprinting.

Note: an upcoming standard called Explicit Congestion Notification also makes use of these TCP
flags, but as long as there are only a few operating systems supporting this standard, the flags should
be stripped.

Default: StripLog

TCPRF

Specifies how NetDefendOS will deal with information present in the "reserved field" in the TCP
header, which should normally be 0. This field is not the same as the Xmas and Ymas flags. Used
by OS Fingerprinting.

Default: DropLog

TCPNULL

Specifies how NetDefendOS will deal with TCP packets that do not have any of the SYN, ACK,
FIN or RST flags turned on. According to the TCP standard, such packets are illegal and are used by
both OS Fingerprinting and stealth port scanners, as some firewalls are unable to detect them.

Default: DropLog

TCPSequenceNumbers

This setting determines if the sequence number range occupied by a TCP segment will be compared
to the receive window announced by the receiving peer before the segment is forwarded. If the
setting is set to ValidateLogBad or ValidateSilent, segments that do not match the receive window
announced by the receiving peer will be dropped. If the setting is set to ValidateLogBad such drops
will also be logged.

TCP sequence number validation is only possible on connections tracked by the state-engine (not on
packets forwarded using a FwdFast rule).

Default: ValidateLogBad

TCPRF

Chapter 13. Advanced Settings

310