beautypg.com

Stateful inspection settings, Logconnectionusage, Connreplace – D-Link DFL-2500 User Manual

Page 314: Logopenfails, Logreverseopens, Logstateviolations, Maxconnections, Logconnections

background image

13.5. Stateful Inspection Settings

LogConnectionUsage

This generates a log message for every packet that passes through a connection that is set up in the
NetDefendOS state-engine. Traffic whose destination is the D-Link Firewall itself, for example
NetDefendOS management traffic, is not subject to this setting.

The log message includes port, service, source/destination IP address and interface. This setting
should only be enabled for diagnostic and testing purposes since it generates unwieldy volumes of
log messages and can also significantly impair throughput performance.

Default: Disabled

ConnReplace

Allows new additions to NetDefendOS’s connection list to replace the oldest connections if there is
no available space.

Default: ReplaceLog

LogOpenFails

In some instances where the Rules section determines that a packet should be allowed through, the
stateful inspection mechanism may subsequently decide that the packet cannot open a new
connection. One example of this is a TCP packet that, although allowed by the Rules section and not
being part of an established connection, has its SYN flag off. Such packets can never open new
connections. In addition, new connections can never be opened by ICMP messages other than ICMP
ECHO (Ping). This setting determines if NetDefendOS is to log the occurrence of such packets.

Default: Enabled

LogReverseOpens

Determines if NetDefendOS logs packets that attempt to open a new connection back through one
that is already open. This only applies to TCP packets with the SYN flag turned on and to ICMP
ECHO packets. In the case of other protocols such as UDP, there is no way of determining whether
the remote peer is attempting to open a new connection.

Default: Enabled

LogStateViolations

Determines if NetDefendOS logs packets that violate the expected state switching diagram of a
connection, for instance, getting TCP FIN packets in response to TCP SYN packets.

Default: Enabled

MaxConnections

Specifies how many connections NetDefendOS may keep open at any one time. Each connection
consumes approximately 150 bytes RAM. When this setting is dynamic, NetDefendOS will try to
use as many connections as is allowed by product.

Default:

LogConnections

Specifies how NetDefendOS, will log connections:

13.5. Stateful Inspection Settings

Chapter 13. Advanced Settings

314