Synrejectonly, Sendicmpreset, Icmptotcpsession – Compatible Systems 5.4 User Manual

Chapter 8 - IntraGuard Firewall Configuration

135

SynRejectOnly

This checkbox sets whether the device will limit itself to sending TCP reset
messages only when a TCP packet containing the SYN flag has been rejected.
This can be useful when ICMP redirects are being sent, which could cause
sessions to terminate prematurely. The default is checked.

SendICMPReset

This checkbox sets whether the device will send an ICMP message to the
client when an IP or UDP packet has been rejected. The default is unchecked.

ICMPtoTCPsession

This checkbox sets whether the device will send an ICMP message to the
client when a TCP packet has been rejected. This is in addition to sending a
TCP reset message, if it has been enabled using the SendTCPReset checkbox.
The default is unchecked.

RejectSRCRoute

This checkbox sets whether the device will reject source-routed IP packets.
The default is checked.

MinIPFragLen

This field sets the minimum acceptable length of IP packets. Raising the
minimum packet length can be useful in preventing "frag" attacks, which can
take advantage of the use of partial header information in fragmented packets.
The IntraGuard protects against overlapping fragmentation attacks, even
when the MinIPFragLen is set to the minimum value of 40. Values may range
between 40 and 1,500. The default is 40.