Description
Settings related to the TCP protocol.
Properties
- TCPOptionSizes
- Validity of TCP header option sizes. (Default: ValidateLogBad)
- TCPMSSMin
- Minimum allowed TCP MSS (Maximum Segment Size). (Default: 100)
- TCPMSSOnLow
- How to handle too low MSS values. (Default: DropLog)
- TCPMSSMax
- Maximum allowed TCP MSS (Maximum Segment Size). (Default: 1460)
- TCPMSSVPNMax
- Limits TCP MSS for VPN connections; minimizes fragmentation. (Default: 1400)
- TCPMSSOnHigh
- How to handle too high MSS values. (Default: Adjust)
- TCPMSSLogLevel
- When to log regarding too high TCP MSS, if not logged by "TCP MSS on high". (Default: 7000)
- TCPMSSAutoClamping
- Automatically clamp TCP MSS according to MTU of involved interfaces - in addition to "TCP MSS max". (Default: Yes)
- TCPZeroUnusedACK
- Force unused ACK fields to zero; helps prevent connection spoofing. (Default: Yes)
- TCPZeroUnusedURG
- Force unused URG fields to zero; prevents small information leak. (Default: Yes)
- TCPOPT_WSOPT
- The WSOPT (Window Scale) option (common). (Default: ValidateLogBad)
- TCPOPT_SACK
- The SACK/SACKPERMIT (Selective ACK) options (common). (Default: ValidateLogBad)
- TCPOPT_TSOPT
- The TSOPT (Timestamp) option (common). (Default: ValidateLogBad)
- TCPOPT_ALTCHKREQ
- The ALTCHKREQ (Alternate Checksum Request) option. (Default: StripLog)
- TCPOPT_ALTCHKDATA
- The ALTCHKDATA (Alternate Checksum Data) option. (Default: StripLog)
- TCPOPT_CC
- The CC (Connection Count) option series (semi common). (Default: StripLogBad)
- TCPOPT_OTHER
- How to handle TCP options not specified above. (Default: StripLog)
- TCPSynUrg
- The TCP URG flag together with SYN; normally invalid (strip=strip URG). (Default: DropLog)
- TCPSynPsh
- The TCP PSH flag together with SYN; normally invalid but always used by some IP stacks (strip=strip PSH). (Default: StripSilent)
- TCPSynRst
- The TCP RST flag together with SYN; normally invalid (strip=strip RST). (Default: DropLog)
- TCPSynFin
- The TCP FIN flag together with SYN; normally invalid (strip=strip FIN). (Default: DropLog)
- TCPSynFrag
- Fragmented data together with SYN; not invalid but can be used for DoS attacks. (Default: DropLog)
- TCPSynData
- Payload data together with SYN; not invalid but can be used for DoS attacks. (Default: DropLog)
- TCPFinUrg
- The TCP URG flag together with FIN; normally invalid (strip=strip URG). (Default: DropLog)
- TCPUrg
- The TCP URG flag; many operating systems cannot handle this correctly. (Default: StripLog)
- TCPECN
- The Explicit Congestion Notification (ECN) flags. Previously known as "XMAS"/"YMAS" flags. Also used in OS fingerprinting.
(Default: Ignore)
- TCPRF
- The TCP Reserved field: should be zero. Used in OS fingerprinting. Also part of ECN extension. (Default: StripLog)
- TCPNULL
- TCP "NULL" packets without SYN, ACK, FIN or RST; normally invalid, used by scanners. (Default: DropLog)
- TCPSequenceNumbers
- Validation of TCP sequence numbers. (Default: ValidateLogBad)
- TCPAllowReopen
- Allow clients to re-open TCP connections that are in the closed state. (Default: No)
![[Note]](images/note.png) |
Note |
| This object type does not have an identifier and is identified by the name of the type only. There can only be one instance
of this type.
|
cOS Core 14.00.18 CLI Reference Guide
