Configuring security Firewall
Digi TransPort® Routers User Guide
782
n With the inspect-state option, the echo replies are not allowed in all the time; they are only
allowed in once an echo request has been sent out on that interface.
n When a valid echo reply comes back or there is a timeout, echo replies will be blocked again.
n Furthermore, the full IP address is checked; the IP source and destination must exactly match
the IP destination and source of the echo request.
n If you compare this processing to the rule to allow echo replies in without using inspect-state,
it is not possible to check the source address at all, and the destination address would match
any IP address on our network.
ICMP packet types that allow the inspect-state field
You can use the inspect-state field with the following ICMP packet types:
ICMP type Matching ICMP type
Echo Echo reply
Timest Timestrep
Inforeq Inforep
Maskreq Maskrep
Use [inspect-state] with ICMPv6 codes
You can use the inspect-state field with the following ICMPv6 packet types:
ICMPv6 type Matching ICMPv6 type
Echo Echo reply
Use the Out Of Service (oos) parameter in inspect-state fields
The optional oos parameter in an inspect-state field does several things:
n Allows the stateful inspect engine to mark as out of service any routes associated with the
specified interface.
n Controls how the interfaces are returned to service.
Routes that use the oos parameter are marked as out of service only if the specified oos option
parameters are met.
Note For IPv6 packets, none of the oos options are supported.
Syntax
oos { i nt er f ace- name¦ l ogi cal - name} secs { t =secs} { c=count } { d=count }
{ r =“ pi ng” | “ t cp” { , secs} }
interface-name or logical-name
The interface with which the firewall rule is associated, such as PPP 1. This can also be a logical
interface name which is simply a name that can be created (such as waffle). When a logical interface
To Next Page
Loading...
