Firewall Settings > Flood Protection
741
SonicOS 5.8.1 Administrator Guide
The SYN/RST/FIN Blacklisting region contains the following options:
• Threshold for SYN/RST/FIN flood blacklisting (SYNs / Sec) – The maximum number of
SYN, RST, and FIN packets allowed per second. The default is 1,000. This value should
be larger than the SYN Proxy threshold value because blacklisting attempts to thwart more
vigorous local attacks or severe attacks from a WAN network.
• Enable SYN/RST/FIN flood blacklisting on all interfaces – This checkbox enables the
blacklisting feature on all interfaces on the firewall.
–
Never blacklist WAN machines – This checkbox ensures that systems on the WAN
are never added to the SYN Blacklist. This option is recommended as leaving it
unchecked may interrupt traffic to and from the firewall’s WAN ports.
–
Always allow SonicWALL management traffic – This checkbox causes IP traffic from
a blacklisted device targeting the firewall’s WAN IP addresses to not be filtered. This
allows management traffic, and routing protocols to maintain connectivity through a
blacklisted device.
TCP Traffic Statistics
The TCP Traffic Statistics table provides statistics on the following:
• Connections Opened – Incremented when a TCP connection initiator sends a SYN, or a
TCP connection responder receives a SYN.
• Connections Closed – Incremented when a TCP connection is closed when both the
initiator and the responder have sent a FIN and received an ACK.
• Connections Refused – Incremented when a RST is encountered, and the responder is in
a SYN_RCVD state.
• Connections Aborted – Incremented when a RST is encountered, and the responder is in
some state other than SYN_RCVD.
• Total TCP Packets – Incremented with every processed TCP packet.
• Validated Packets Passed – Incremented under the following conditions:
–
When a TCP packet passes checksum validation (while TCP checksum validation is
enabled).
–
When a valid SYN packet is encountered (while SYN Flood protection is enabled).
–
When a SYN Cookie is successfully validated on a packet with the ACK flag set (while
SYN Flood protection is enabled).
• Malformed Packets Dropped - Incremented under the following conditions:
–
When TCP checksum fails validation (while TCP checksum validation is enabled).
–
When the TCP SACK Permitted (Selective Acknowledgement, see RFC1072) option is
encountered, but the calculated option length is incorrect.
–
When the TCP MSS (Maximum Segment Size) option is encountered, but the
calculated option length is incorrect.
–
When the TCP SACK option data is calculated to be either less than the minimum of 6
bytes, or modulo incongruent to the block size of 4 bytes.
–
When the TCP option length is determined to be invalid.
–
When the TCP header length is calculated to be less than the minimum of 20 bytes.
–
When the TCP header length is calculated to be greater than the packet’s data length.