Note: This topic applies to the Kenilworth Release.
You can enable additional networking features in the Smoothwall to tighten network security.
|1.||Go to Network > Settings > Advanced.|
|2.||Locate the relevant feature, and configure the appropriate settings:|
You can configure the Smoothwall to block and ignore the following types of traffic:
|||ICMP ping broadcast — Internet Control Message Protocol (ICMP) ping broadcasts are used to determine to determine the status of network devices. It can be used as a denial of service (DoS) attack.|
Select this option to prevent the Smoothwall from responding to ping broadcast messages from all network zones, including external zones.
Select this option to block all ICMP ping requests going to the Smoothwall.
This effectively hides the Smoothwall from ICMP pings, but can also make connectivity problems harder to diagnose.
Select this option to block all ICMP timestamp requests going to the Smoothwall.
|||IGMP packets — Internet Group Management Protocol (IGMP) is used to establish multicast group membership. Typically, IGMP packets are harmless, and are most commonly observed when using cable modems to provide external connectivity.|
Select this option to ignore all IGMP packets without generating log entries.
Select this option to block all multicast traffic on address 126.96.36.199 from ISPs, and prevent them from generating large volumes of spurious log entries.
|||SYN+FIN packets — Typically SYN and FIN scans generate large numbers of log entries.|
Select this option to automatically discard packets used in SYN+FIN scans.
You can enable the following networking features in the Smoothwall:
|||SYN cookies — The use of SYN cookies is a standard defence mechanism against a SYN flood attack, where a large number of SYN packets (connection requests) are sent to a machine as a DoS attack.|
Select this option to defend against SYN flood attacks.
|||TCP timestamps (RFC1323)|
Select this option to enable TCP timestamps to improve TCP performance in high speed links.
|||Selective ACKs (RFC2018)|
Select this option to enable selective ACKs (acknowledgements) to improve TCP performance in links where packet loss is high.
Select this option to enable TCP window scaling to improve TCP performance in high speed links.
|||ECN — Explicit Congestion Notification (ECN) is a mechanism for avoiding network congestion. While effective, ECN requires communicating hosts to support it and some routers are known to drop packets marked with the ECN bit. For this reason, this feature is disabled by default.|
Select this option to enable ECN.
|||ARP filter — The Address Resolution Protocol (ARP) filter filters out ARP flux.|
Select this option to enable the ARP filter.
You can change the maximum number of remembered hosts in the ARP table if the number of directly connected machines, or IP addresses, is more then the value shown in the drop-down box.
Directly connected machines are those which are not behind a intermediate router but are instead directly attached to one of the Smoothwall's network interfaces.
Typically, the default value of 2048 is adequate, but in very big networks, select a bigger value.
Valid table sizes are:
Information about all connections known to the system is stored in the connection tracking table, including NAT-ed sessions, and traffic passing through the firewall.
During operation, the table is automatically scaled to an appropriate size within a specified limit, according to the number of active connections and their collective memory requirements.
Occasionally, the default maximum number of connections to track, which is set according to the amount of memory, is insufficient. Configure a large table size in the space provided.
You can change the maximum number of requests in a queue, waiting to be answered. Increasing the value may reduce connection problems for an extremely busy proxy service.
Valid queue sizes are:
|||8192 — This is the default request queue size|
You can choose to create verbose traffic logs for the purpose of analyzing incoming, outgoing, and forwarded traffic:
|||Direct incoming traffic|
Select to logs all new connections to all interfaces that are destined for the firewall.
Select to log all new connections passing through one interface to another.
|||Direct outgoing traffic|
Select to log all new connections from any interface.
Note: Typically, traffic auditing generates large amounts of data. You must ensure there is sufficient disk space in the Smoothwall before enabling this — see Managing Datastore Log Retention.
You can view traffic audit logs from Reports > Logs > Firewall — see Viewing Firewall Logs
Network application helpers enable specified traffic to pass through the firewall correctly.
It is recommended you enable the relevant network application helper if you use any of the following protocols:
|||FTP — IP information is embedded within File Transfer Protocol (FTP) traffic. This application helper ensures that FTP active mode client connections are not adversely affected by the firewall.|
|||H.323 — This application helper enables pass-through of H.323 traffic, a common protocol used in voice over IP (VoIP) applications. It is also possible to receive incoming H.323 calls through the use of a port forward on the H.323 port.|
This option is disabled by default because of a theoretical security risk associated with the use of H323 passthrough. It is recommended you only enable this feature if you require VoIP functionality.
|||IRC — IP information is embedded within Internet Relay Chat (IRC) traffic. This application helper ensures that IRC communication is not adversely affected by the firewall.|
|||Advanced PPTP client support — This application helper enables Point-to-Point Tunneling protocol (PPTP) client traffic. This is the protocol used in standard Windows VPNs.|
When disabled, it is still possible for PPTP clients to connect through to a server on the outside, but not in all circumstances. Difficulties can occur if multiple clients on the local network wish to connect to the same PPTP server on the Internet. In this case, this application helper should be used.
When enabled, it is not possible to forward PPTP traffic. For this reason, this option is not enabled by default.
|||SIP — IP information is embedded within Session Initiation Protocol (SIP) traffic. This application helper ensures that SIP communications are not adversely affected by the firewall.|
Typically, bad external traffic are those network packets requesting services or ports not supported by the Network > Firewall > Smoothwall access page — see Configuring Smoothwall Access Rules. Such traffic is rejected, and a "no one here" ICMP message is bounced back to the sender.
All such traffic is logged to the Firewall log — see Viewing Firewall Logs.
You can choose to do the following to bad external traffic:
|||Reject — The Smoothwall notifies the sender when bad external traffic is rejected.|
|||Drop — The Smoothwall silently drops bad external traffic, enabling you to “stealth” your firewall, making port scans, and so on, much harder to do.|
A network packet with a connection tracking state of
INVALID is rejected by the Smoothwall for any number of reasons, including:
|||The Smoothwall not being aware of the connection when it was started|
|||The Smoothwall not seeing any packets from this connection in some time|
You can choose to log these rejections to the Firewall log (see Viewing Firewall Logs)
|3.||Click Save changes.|