| Home Prev |  cOS Core 14.00.17 Administration Guide
|
Next |
|---|
Log Checksum Errors
Logs occurrences of IP packets containing erroneous checksums. Normally, this is the result of the packet being damaged during network transport. All network units, both routers and workstations, drop IP packets that contain checksum errors. However, it is highly unlikely for an attack to be based on illegal checksums.Default: Enabled
Log non IPv4/IPv6
Logs occurrences of IP packets that are not IPv4 or IPv6.Default: Enabled
Log Received TTL 0
Logs occurrences of IP packets received with the "Time To Live" (TTL) value set to zero. Under no circumstances should any network unit send packets with a TTL of 0.Default: Enabled
Block 0000 Src
Block 0.0.0.0 as source address.Default: Drop
Block 0 Net
Block 0.* as source addresses.Default: DropLog
Block 127 Net
Block 127.* as source addresses.Default: DropLog
Block Multicast Src
Block multicast both source addresses (224.0.0.0 - 255.255.255.255).Default: DropLog
TTL Min
The minimum TTL value accepted on receipt.Default: 3
TTL on Low
Determines the action taken on packets whose TTL falls below the stipulated TTLMin value.Default: DropLog
Multicast TTL on Low
What action to take on too low multicast TTL values.Default: DropLog
Default TTL
Indicates which TTL cOS Core is to use when originating a packet. These values are usually between 64 and 255.Default: 255
Layer Size Consistency
Verifies that the size information contained in each "layer" (Ethernet, IP, TCP, UDP, ICMP) is consistent with that of other layers.Default: ValidateLogBad
SecuRemoteUDP Compatibility
Allow IP data to contain eight bytes more than the UDP total length field specifies. Checkpoint SecuRemote violates NAT-T drafts.Default: Disabled
IP Option Sizes
Verifies the size of "IP options". These options are small blocks of information that may be added to the end of each IP header. This function checks the size of well-known option types and ensures that no option exceeds the size limit stipulated by the IP header itself.Default: ValidateLogBad
IP Option Source/Return
Indicates whether source routing options are to be permitted. These options allow the sender of the packet to control how the packet is to be routed through each router and firewall. These constitute an enormous security risk. cOS Core never obeys the source routes specified by these options, regardless of this setting.Default: DropLog
IP Options Timestamps
Timestamp options instruct each router and firewall on the packet's route to indicate at what time the packet was forwarded along the route. These options do not occur in normal traffic. Timestamps may also be used to "record" the route a packet has taken from sender to final destination. cOS Core never enters information into these options, regardless of this setting.Default: DropLog
How to handle IP packets with contained route alert.Default: ValidateLogBad
IP Options Other
All options other than those specified above.Default: DropLog
Directed Broadcasts
Indicates whether cOS Core will forward packets which are directed to the broadcast address of its directly connected networks. It is possible to achieve this functionality by adding lines to the Rules section, but it is also included here for simplicity's sake. This form of validation is faster than entries in the Rules section since it is more specialized.Default: DropLog
IP Reserved Flag
Indicates what cOS Core will do if there is data in the "reserved" fields of IP headers. In normal circumstances, these fields should read 0. Used by OS Fingerprinting.Default: DropLog
Strip DontFragment
Strip the Don't Fragment flag for packets equal to or smaller than the size specified by this setting.Default: 65535 bytes
Multicast Mismatch option
What action to take when Ethernet and IP multicast addresses does not match.Default: DropLog
Min Broadcast TTL option
The shortest IP broadcast Time-To-Live value accepted on receipt.Default: 1
Low Broadcast TTL Action option
What action to take on too low broadcast TTL values.Default: DropLog
