Configuring security Firewall
Digi TransPort® Routers User Guide
800
Debug a firewall
When creating and managing firewall scripts, the scripts may need debugging to ensure that packets
are being processed correctly. To assist in this, you can use a rule with the debug action.
If a rule with the debug action is encountered, an entry is made in the fwlog.txt pseudo-file each time
the packet in question matches a rule from that point on. This allows you to follow a packet through a
rule set, and can help determine what, if any, changes are required to the rule set. Rules specifying
the debug action are typically placed near the top of the rule set, so all matching rules from that point
on are entered into the log file.
You can identify entries created in the fwlog.txt file as the result of a debug rule using the short
description FW_DEBUG at the top of the log entry.
An example rule set using a debug rule:
debug i n on ppp 2 pr ot o t cp f r om any t o any por t =ht t p
pass i n br eak end pr ot o t cp f r om any t o any por t =ht t p f l ags s/ sa i nspect st at e
pass out br eak end pr ot o udp
If placed at the top of the rule set, any packet received on interface PPP 2 to destination port 80
generates a debug entry in the log file for each subsequent rule that it matches. In the example rule
set above, a packet that matched the second rule would also match the first rule, and would therefore
create two log entries. The same packet would not match the third rule, and so no log entry would be
made for this rule.
Because of the extra processor time required to add all of these additional log entries, debug rules
should be removed (or commented out) once the rule set is operating as desired.
To Next Page
Loading...
