Along with ICMP messages, the behavior of TCP and UDP connections also provides information on the existence or non-existence of the addressed computer. Depending on the network environment, it may be useful to simply drop TCP and UDP packets instead of responding with a TCP reset or an ICMP message (port unreachable) if there is no listener for that particular port. The desired behavior can be set in the device.
Important: By hiding ports without listeners, masked connections have the problem that the "authenticate" and "ident" service no longer works (or is no longer denied correctly). The corresponding port can therefore be treated separately (Mask authentication port).
The available settings are:
- off: All ports are closed and TCP packets are answered with a TCP reset
- Always: All ports are hidden and TCP packets are dropped silently.
- WAN only: All ports are hidden on the WAN side and closed on the LAN side
- Default route only: The ports are hidden on the default route (usually Internet) and closed on all other routes
