beautypg.com

Tip: specifying source ports – Amer Networks E5Web GUI User Manual

Page 146

background image

Single Port

For many services, a single destination port is sufficient. For
example, HTTP usually uses destination port 80. The SMTP
protocol uses port 25 and so on. For these types of service,
the single port number is simply specified in the service
definition as a single number.

Port Ranges

Some services use a range of destination ports. As an
example,

the

NetBIOS

protocol

used

by

Microsoft

Windows™ uses destination ports 137 to 139.

To define a range of ports in a TCP/UDP service object, the
format mmm-nnn is used. A port range is inclusive, meaning
that a range specified as 137-139 covers ports 137, 138 and
139.

Multiple Ports and Port Ranges

Multiple ranges or individual ports may also be entered,
separated by commas. This provides the ability to cover a
wide range of ports using only a single TCP/UDP service
object.

For example, all Microsoft Windows networking can be
covered using a port definition specified as 135-139,445.
HTTP and HTTPS can be covered by specifying destination
ports 80,443.

Tip: Specifying source ports

It is usual with many services that the source ports are left as their default value which is
the range 0-65535 (corresponding to all possible source ports).

With certain application, it can be useful to also specify the source port if this is always
within a limited range of values. Making the service definition as narrow as possible is
the recommended approach.

Other Service Properties

Apart from the basic protocol and port information, TCP/UDP service objects also have several
other properties:

SYN Flood Protection

This option allows a TCP based service to be configured with protection against SYN Flood
attacks. This option only exists for the TCP/IP service type.

For more details on how this feature works see Section 6.6.8, “TCP SYN Flood Attacks”.

Pass ICMP Errors

If an attempt to open a TCP connection is made by a user application behind the Clavister
Security Gateway and the remote server is not in operation, an ICMP error message is
returned as the response. Such ICMP messages are interpreted by cOS Core as new
connections and will be dropped unless an IP rule explicitly allows them.

The Pass returned ICMP error messages from destination option allows such ICMP
messages to be automatically passed back to the requesting application. In some cases, it is
useful that the ICMP messages are not dropped. For example, if an ICMP quench message is

Chapter 3: Fundamentals

146

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: