Asus SL1200 User Manual

88

Chapter 9 - Configuring Firewall/NAT Settings

ASUS SL1200

Field

Description

Sequence Number Out

of Range Check

Check or un-check this option to enable or disable protection

against TCP out of range sequence number attacks. An

attacker can send a TCP packet to cause an intrusion

detection system (IDS) to become unsynchronized with

the data in a connection. Subsequent frames sent in that

connection may then be ignored by the IDS. This may

indicate an unsuccessful attempt to hijack a TCP session.

ICMP Verbose

Check or un-check this option to enable or disable protection

against ICMP error message attacks. ICMP messages can

be used to flood your network with undesired traffic. By

default, this option is enabled.

Maximum IP Fragment

Count

Enter the maximum number of fragments the Firewall should

allow for every IP packet. This option is required if your

connection to the ISP is through PPPoE. This data is used

during transmission or reception of IP fragments. When

large sized packets are sent via the router, the packets are

chopped into fragments as large as MTU (Maximum Trans-

mission Unit). By default, this number is set to 45. If MTU of

the interface is 1500 (default for Ethernet), then there can

be a maximum of 45 fragments per IP packet. If the MTU is

less, then there can be more number of fragments and this

number should be increased.

Minimum IP Fragment

Size

Enter the Minimum size of IP fragments to be allowed

through Firewall. This limit will not be enforced on the last

fragment of the packet. If the Internet traffic is such that it

generates many small sized fragments, this value can be

decreased. This can be found if there are lots of packet loss,

degradation in speed and if the following log message is

generated very often:”fragment of size less than configured

minimum fragment size detected”.