Description:

LANCOM Systems recommends deactivating unused "Application Layer Gateways" (ALG), also with regard to security vulnerabilities such as "NAT Slipstream", or restricting communication between the ALGs.

This article describes which ALGs run on LCOS devices and how to deactivate or restrict these.

Before deactivating or restricting the ALGs, check whether your software is using any of the associated protocols. 

  • FTP: FTP is a popular protocol. Restricting the relevant ALG causes “Active FTP” to be prevented so that only “Passive FTP” is available.
  • 323: H.323 is out of date and should only be used in exceptional cases. As a rule, you can simply deactivate this ALG.
  • IRC: IRC can remain in use even after restricting the related ALG. The only thing that has to be prevented is the communication between two IRC clients via DCC.
  • SIP ALG: This ALG is used when a SIP telephone or a SIP PBX on the local network registers directly with a SIP provider on a remote network. The alternative is to use the Voice Call Manager. In this case the SIP phone or the SIP PBX registers with the LANCOM router and the latter registers with the SIP provider (this requires a VoIP router or the All-IP option).

Requirements:

Einschränkung des FTP ALG:

The FTP ALG cannot be deactivated. However, the behavior can be changed so that the ALG has no port open for incoming communications, as would be the case with “Active FTP” or with FXP.

Although this parameter can also be set via LANconfig or in the configuration tree in WEBconfig, the description there is slightly misleading. LANCOM Systems recommends you carry out the configuration via the console or via the LCOS menu tree in WEBconfig.


Via CLI:

Use SSH to connect to the device command-line interface (CLI) and enter the following command:

set Setup/IP-Router/Firewall/Applications/FTP/FTP-Block off ; set Setup/IP-Router/Firewall/Applications/FTP/Active-FTP-Block always ; set Setup/IP-Router/Firewall/Applications/FTP/FXP-Block always

These parameters are explained in the With WEBconfig section.

Screenshot of a technical configuration interface showing settings for IP router, firewall, and FTP applications with options for blocking and setting values to 'off' or 'always'.

With WEBconfig:

1) Open the menu (Extras) → LCOS Menu Tree → Setup → IP router → Firewall → Applications → FTP.

Screenshot of a technical LCOS Menu Tree interface displaying options for setup, status, firmware, file management, and network configurations.

2) Open the parameter Active-FTP-Block, select the the drop-down menu option always and click on Send. This prevents the use of communications via active FTP and only allows the use of passive FTP.

Image displaying a section of a technical user interface related to the ActiveFTPBlock configuration settings.

3) Open the parameter FTP-Block and make sure the option is set to off. This means that FTP communication is generally possible.

Screenshot of an FTPBlock configuration menu in a software interface.

4) Open the parameter FXP-Block, select the the drop-down menu option always and click on Send. FXP (file exchange protocol) supports both active and passive communication and therefore needs to be blocked (also see Active-FTP-Block).

Image of a user interface screen titled 'FXPBlock' with partial text displayed.

Deactivating the H.323 ALG:

Via CLI:

Connect to the device CLI via SSH and enter the command set Setup/IP-Router/Firewall/Applications/H.323/H.323-Support no.

Screenshot of a technical configuration interface showing settings for IP router, firewall applications, and support options.


With WEBconfig:

  • Open the menu Extras → LCOS Menu Tree → Setup → IP-Router → Firewall → Applications → H.323 → H.323-Support.
  • Set the parameter to No and click on Send.

Screenshot of an advanced configuration menu interface displaying options for router status, firewall settings, firmware, applications, file management, SNMP, SSH key management, and other network settings.


Restricting the IRC ALG:

The IRC ALG cannot be deactivated. However, the behavior can be changed so that the ALG has no port open for incoming communications, as is the case with communication via DCC.

For historical reasons, the name in LCOS is DDC and not DCC.

Although this parameter can also be set via LANconfig or in the configuration tree in WEBconfig, the description there is slightly misleading. LANCOM Systems recommends you carry out the configuration via the console or via the LCOS menu tree in WEBconfig.


Via CLI:

Use SSH to connect to the device command-line interface (CLI) and enter the following command:

set Setup/IP-Router/Firewall/Applications/IRC/IRC-Block off ;  set Setup/IP-Router/Firewall/Applications/IRC/DDC-Block always

These parameters are explained in the With WEBconfig section.

Screenshot of a configuration menu for setting up IP router firewall applications, featuring options to toggle IRC and DDC blocks between 'off' and 'always'.


With WEBconfig:

1) Open the menu (Extras) → LCOS Menu Tree → Setup → IP router → Firewall → Applications → IRC.

This image displays a detailed technical configuration menu with various options including network status, firewall settings, application management, file management, SNMP MIB retrieval, and several other system settings.

2) Open the parameter DDC-Block, select the the drop-down menu option always and click on Send. This prevents direct communication between two IRC clients via DCC (Direct Client-to-Client).

Image showing a partial view of a technical user interface likely related to DDCBlock configuration settings.

3) Open the parameter IRC-Block and make sure the option is set to off. This means that IRC communication is generally possible.

Screenshot of a user interface displaying the 'IRCBlock' configuration menu.

Deactivating the SIP-ALG:

With LANconfig:

In LANconfig, switch to the menu Miscellaneous Services → Services and make sure that the checkbox for SIP-ALG activated is not checked.

Screenshot of a network configuration interface showing various settings including firewall rules for SIP packets, communication protocols, date and time settings, routing options, and miscellaneous services.


With WEBconfig:

In WEBconfig, switch to the menu Configuration → Miscellaneous Services → Services and make sure that the checkbox for SIP-ALG activated is not checked.

Screenshot of a network management configuration interface detailing settings for LAN CAPI interfaces, IoT interfaces, and various network services such as WLAN control, firewall, VPN, and SIP application layer gateways.


 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH