...
- Rejected - packet swallowed
- Inspected - packet contents passed onto the next stage of inspection
- Ignored - packet forwarded without any further inspection
| OSI Layer | Rejected | Inspected | Ignored |
|---|
| DataLink [2] | QinQ | Ethernet, VLAN | everything else |
| Network [3] | IPv6, IPv4JUMBO | IPv4 | everything else |
| Transport [4] | - | TCP | everything else |
| Application [7] | everything else | FIX | BGP |
| Warning |
|---|
| title | Message Size Restrictions |
|---|
|
frames are limited to 1540 bytes in size. - MTU is set to 1500 bytes.
- TCP Max Segment Size is enforced to be at or below
1424 |
TCP Whitelists & Network Address Translation
...
Reflector's parser can return error for a variety of reasons: logon fail, wrong protocol, sanity checks, etc. Some exogenous factors can also call for immediate termination: session timeout, disabled credential, UNPLUG mode, etc. The session store executes this directive by generating a pair of TCP RST frames for each affected session.
| Session Drop Reason | Source | Executor | RST Generated | Description |
|---|
| TCP_FIN_ACK | wire | SessionStore | N | Normal bilateral TCP termination |
| TCP_RESET | wire | SessionStore | N | Unilateral (client) TCP reset |
| LOGIN_FAIL | wire |
Reflector Reflector Reflector | Risk Instance | Y | Associated credential disabled |
| GROUP_DISABLED | web server |
Reflector | Risk Instance | Y | Associated risk pool disabled |
| DEAD_MAN_SWITCH | metronome |
Reflector Reflector
Broken Session
If Reflector receives a TCP packet that fits the following requirements, it swallows the packet and generates a TCP RST packet in the reverse direction
...