Properties

LogCheckSumErrors

Log IP packets with bad checksums. (Default: Yes)

LogNonIP4

Log occurrences of packets that do not follow the IP standard. (Default: Yes)

MulticastIPEnetOnMismatch

What action to take when ethernet and IP multicast addresses does not match. (Default: DropLog)

BlockMulticastSrc

Block multicast source addresses (224.0.0.0--255.255.255.255). (Default: DropLog)

TrafficClass

How to handle the packets with IPv4 TOS field or IPv6 TrafficClass field set. (Default: Ignore)

TTLMin

The minimum IP unicast Time-To-Live (IPv4) or HopLimit (IPv6) value accepted on receipt. (Default: 3)

TTLOnLow

What action to take on too low unicast TTL values. (Default: DropLog)

LogReceivedTTL0

Log received packets with TTL=0; this should never happen. (Default: Yes)

TTLMinMulticast

The minimum IP multicast Time-To-Live value accepted on receipt. (Default: 3)

TTLOnLowMulticast

What action to take on too low multicast TTL values. (Default: DropLog)

DefaultTTL

The default IP Time-To-Live (IPv4) or HopLimit (IPv6) of packets originated by this firewall (1-255). (Default: 255)

LayerSizeConsistency

TCP/UDP/ICMP/etc layer data and header sizes matching lower layer size information. (Default: ValidateLogBad)

AllowIPVersion

Enable/Disable IP versions at the lowest level, regardless of configuration (warning: remote management access will not be possible via a disallowed IP version). (Default: Any)

UDPSrcPort0

How to treat UDP packets with source port 0. (Default: DropLog)

Port0

How to treat TCP/UDP packets with destination port 0 and TCP packets with source port 0. (Default: DropLog)

Block0000Src

Block 0.0.0.0 as source address. (Default: Drop)

Block0Net

Block 0.* destination addresses. (Default: DropLog)

Block127Net

Block 127.* source addresses. (Default: DropLog)

IPOptionSizes

Validity of IP header option sizes. (Default: ValidateLogBad)

IPOPT_SR

How to handle IP packets with contained source or return routes. (Default: DropLog)

IPOPT_TS

How to handle IP packets with contained Timestamps. (Default: DropLog)

IPOPT_RTRALT

How to handle IP packets with contained Route Alert. (Default: ValidateLogBad)

IPOPT_OTHER

How to handle IP options not specified above. (Default: DropLog)

DirectedBroadcasts

How to handle directed broadcasts being passed from one iface to another. (Default: DropLog)

IPRF

How to handle the IP Reserved Flag, if set; it should never be. (Default: DropLog)

AutoAddBroadcastRoute

Auto generate core route for 255.255.255.255 (needed by DHCP). (Default: Yes)

AutoAddMulticastRoute

Auto generate core route for 224.0.0.0/4 (needed by DHCP/OSPF). (Default: Yes)

AutoAddNullIPRoute

Auto generate core route for 0.0.0.0 (needed by DHCP). (Default: Yes)

StripDFOnSmall

Strip the Dont Fragment flag for packets of this size or smaller. Applies only to forwarded traffic (see also IPSettings::IP4PathMTUMin). (Default: 65535)

IP4PathMTUMin

Do not allow path-MTU discovery to decrease path-MTU to less than this value. Applies only to traffic initiated from the system (see IPSettings::StripDFOnSmall). (Default: 576)

IP4PathMTULifetime

Allow system to probe for larger path-MTU after this many minutes. Zero minutes means infinite time (note that using 1-4 minutes will violate the RFC). (Default: 10)

IP4OnPktTooBigAndDFSet

Whether to enable or disable path-MTU discovery participation for IPv4. Applies only to forwarded traffic, and only for packets where the DF flag is set. (Default: SendICMPNeedFragLog)

IP6BlockLoopbackSrc

Block the ::1 loopback address as source address. (Default: DropLog)

IP6BlockLoopbackDest

Block the ::1 loopback address as destination address. (Default: DropLog)

IP6Block0Dest

Block the unspecified address as destination address. (Default: DropLog)

IP6FL

How to handle packets with IPv6 Flow Label field set. (Default: Ignore)

IP6MaxExtHdr

Maximum combined size of all extension headers within an IPv6 packet. (Default: 256)

IP6OnMaxExtHdr

How to handle IPv6 packets with a total extension header size larger than IP6MaxExtHdr. (Default: DropLog)

IP6MaxOPH

Maximum number of options per extension header. (Default: 8)

IP6OnMaxOPH

How to handle IPv6 packets carrying an extension header with more options than specified by IP6MaxOPH. (Default: DropLog)

IP6ValidateSyntax

Validate IPv6 headers and options to be correctly formatted. (Default: ValidateLogBad)

IP6OPT_PADN

How to handle IPv6 PADN options where the pad field is non-zero. (Default: StripLog)

IP6OPT_JUMBO

How to handle IPv6 jumbograms. (Default: ValidateLogRejectBad)

IP6OPT_HA

How to handle IPv6 packets carrying Home Address option. (Default: RFC3775LogNoSupport)

IP6OPT_RA

How to handle IPv6 packets carrying Router Alert option. (Default: RFC3775LogNoSupport)

IP6OPT_Other

How to handle unknown IPv6 options. (Default: RFC2460LogNoSupport)

IP6OPT_RH0

How to handle packets with the expired Routing Header type 0. (Default: RFC5095LogNoSupport)

IP6OPT_RH2

How to handle packets with Routing Header type 2. (Default: RFC2460LogNoSupport)

IP6OPT_RHOther

How to handle packets with Routing Header type different than 0 and 2. (Default: RFC2460LogNoSupport)

IP6OnLocalUnrecognizedHdr

How to handle packets destined to the firewall with unrecognized IPV6 headers. (Default: DropLog)

IP6PathMTUMin

Do not allow path-MTU discovery to decrease path-MTU to less than this value. Applies only to traffic initiated from the system. See RFC 2460, section about "Packet Size Issues", for details. (Default: 1280)

IP6PathMTULifetime

Allow system to probe for larger path-MTU after this many minutes. Zero minutes means infinite time (note that using 1-4 minutes will violate the RFC). (Default: 10)

IP6OnPacketTooBig

Whether to enable or disable path-MTU discovery participation for IPv6. Applies only to forwarded traffic. (Default: SendICMPPktTooBigLog)