Configuring security Firewall
Digi TransPort® Routers User Guide
762
Configure stateful inspection settings
For more information on stateful inspection and firewall rules, see [inspect-state].
ÉWeb
To configure stateful inspection settings, go to Configuration > Security> Firewall> Stateful
Inspection Settings. This page contains timer timeout values and other options for the firewall
stateful inspection module. This module establishes firewall rules that last for a single connection
only. Typically, the first packet of a TCP connection (SYN packet) creates a stateful inspection rule that
only allows subsequent packets for that TCP connection through the firewall. The timers described
below set limits on how long such rules persist.
Timer options
TCP Opening s seconds
The time following receipt of a TCP packet that causes a stateful inspection rule to be created before
a TCP connection must be established. If a TCP connection is not established within this period, the
associated stateful rule is removed.
TCP Open s seconds
The time an established TCP connection can remain idle before the stateful inspection rule created for
it is removed. The timer is restarted each time a packet is processed by the associated stateful
inspection rule.
TCP Closing s seconds
The time allowed for a TCP socket to close once the first TCP FIN packet has been received. If the
timer expires before the socket has completed closing, the stateful inspection rule is removed.
TCP Closed s seconds
The time that a stateful inspection rule remains in place after a TCP connection has closed.
UDP s seconds
The time that a stateful inspection rule remains in place following the receipt of UDP packet. The
timer is restarted each time packets matching the rule pass in each direction. As a consequence, use
rules based on UDP only if packets will travel in both directions.
ICMP s seconds
Some ICMP packets, such as the ECHO request, generate response packets. The value in this text box
specifies the length of time that a stateful inspection rule created for an ICMP packet will remain in
place if the response is not received. The rule is removed immediately following receipt of the
response.
Other protocols s seconds
If a stateful inspection rule is created from a packet type other than TCP, UDP or ICMP, a rule timeout
should be created for it. The parameter in this text box specifies the length of time such a rule
persists. The timer is restarted each time a packet is processed by the rule.
To Next Page
Loading...
