The Network Protection > Firewall > Advanced tab contains advanced settings for the firewall and the NAT rules.
So-called connection tracking helpers enable protocols that use multiple network connections to work with firewall or NAT rules. All connections handled by the firewall are tracked by the conntrack kernel module, a process better known as connection tracking. Some protocols such as FTP and IRC require several ports to be opened, and hence require special connection tracking helpers supporting them to operate correctly. These helpers are special kernel modules that help identify additional connections by marking them as being related to the initial connection, usually by reading the related addresses out of the data stream.
For example, for FTP connections to work properly, the FTP conntrack helper must be selected. This is due to the specifics of the FTP protocol, which first establishes a single connection that is called the FTP control connection. When commands are issued through this connection, other ports are opened to carry the rest of the data (e.g., downloads or uploads) related to that specific command. The problem is that the gateway will not know about these extra ports, since they were negotiated dynamically. Therefore, the gateway will be unable to know that it should let the server connect to the client over these specific ports (active FTP connections) or to let clients on the Internet connect to the FTP server (passive FTP connections).
This is where the FTP conntrack helper becomes effective. This special helper is added to the connection tracking module and will scan the control connection (usually on port 21) for specific information. When it runs into the correct information, it will add that specific information to a list of expected connections as being related to the control connection. This in return enables the gateway to track both the initial FTP connection as well as all related connections properly.
Connection tracking helpers are available for the following protocols:
Note – The PPTP helper module needs to be loaded if you want to offer PPTP VPN services on the gateway. Otherwise PPTP sessions cannot be established. The reason for this is that PPTP first establishes a TCP port 1723 connection before switching to Generic Routing Encapsulation (GRE) communication, which is a separate IP protocol. If the PPTP helper module is not loaded, all GRE packets will be blocked by the gateway. Alternatively, if you do not want to use the PPTP helper module, you can manually add firewall rules allowing GRE packets for incoming and outgoing traffic.
Enable TCP window scaling: The TCP receive window (RWin) size is the amount of received data (in bytes) that can be buffered during a connection. The sending host can send only that amount of data before it must wait for an acknowledgment and window update from the receiving host. For more efficient use of high bandwidth networks, a larger TCP window size may be used. However, the TCP window size field controls the flow of data and is limited to 2 bytes, or a window size of 65535 bytes. Since the size field cannot be expanded, a scaling factor is used. TCP window scaling is a kernel option of the TCP/IP stack and can be used to increase the maximum window size from 65535 bytes to 1 Gigabyte. Window scaling is enabled by default. However, since some network devices such as routers, load balancers, gateways, and so on still do not fully support window scaling, depending on your environment it might be necessary to turn it off.
Use strict TCP session handling: Enabled by default starting with new installations of version 9.706. If you update to 9.706, your setting is kept. With strict TCP session handling turned on, the UTM only allows traffic where the three-way handshake has been completed. Find more information in Strict TCP session handling.
Validate packet length: If enabled, the firewall will check the data packets for minimal length if the ICMP, TCP, or UDP protocol is used. If the data packets are smaller than the minimal values, they will be blocked and a record will be written to the firewall log.
Block invalid packets: If enabled, the firewall will check the data packets for conntrack entries. The conntrack entries will be generated by sending connection initializing packets, for example, TCP SYN or ICMP echo requests. If someone tries to send a packet which does not match to an existing connection, for example, TCP ACK or ICMP echo reply and Sophos UTM on AWS cannot find a matching TCP SYN or ICMP echo request via the conntrack entry the data packet is invalid and will be dropped. A record will be written to the firewall log.
Spoof protection: By default, spoof protection is disabled. You can choose between the following settings:
- Normal: The gateway will drop and log packets which either have the same source IP address as the interface itself or which arrive on an interface which has a source IP of a network assigned to another of its interfaces.
- Strict: The gateway will also drop and log all packets which have a destination IP for an interface but arriving on an interface other than assigned, that is, if it arrives on an interface for which it is not destined. For example, those packets will be dropped that were sent from an external network to the IP address of the internal interface which is supposed to accept packets from the internal network only.
Log FTP data connections: Sophos UTM on AWS will log the FTP data connections of (file and directory listings). The log records are marked by the string "FTP data".
Log unique DNS requests: Sophos UTM on AWS will log all outgoing requests to DNS servers as well as their outcome. The log records are marked by the string "DNS request".
Log dropped broadcasts: By default, the firewall drops all broadcasts, which in addition will not be logged. However, if you need broadcasts to be logged in the firewall log, for example, for audit purposes, select this option.
Log invalid packets: Sophos UTM on AWS will log all invalid packets. If Block invalid packets is enabled the log records are marked by the string "INVALID_PKT".