Firewall configuration
Digi TransPort User Guide 653
Stateful Inspection Settings parameters
Stateful inspection settings are configured on the Configuration > Security> Firewalls> Stateful
Inspection Settings page. This page contains timer timeout values and other options used by
the firewall stateful inspection module. This module establishes firewall rules that last for a single
connection only. Typically, the first packet of a TCP connection (SYN packet) is used to create a
stateful inspection rule that only allows subsequent packets for that TCP connection through the
firewall. The timers described below set limits on how long such rules persist.
Timers
TCP Opening s seconds
The time following receipt of a TCP packet that causes a stateful inspection rule to be created
before a TCP connection must be established. If a TCP connection is not established within this
period, the associated stateful rule is removed.
TCP Open s seconds
The time an established TCP connection can remain idle before the stateful inspection rule
created for it is removed. The timer is restarted each time a packet is processed by the
associated stateful inspection rule.
TCP Closing s seconds
The time allowed for a TCP socket to close once the first FIN packet has been received. If the
timer expires before the socket has completed closing, the stateful inspection rule is removed.
TCP Closed s seconds
The time that a stateful inspection rule remains in place after a TCP connection has closed.
UDP s seconds
The time that a stateful inspection rule remains in place following the receipt of UDP packet.
The timer is restarted each time packets matching the rule pass in each direction. As a
consequence, rules based on UDP should only be used if it is anticipated that packets will
travel in both directions.
ICMP s seconds
Some ICMP packets, such as the ECHO request, generate response packets. The value in this
text box specifies the length of time that a stateful inspection rule created for an ICMP packet
will remain in place if the response is not received. The rule is removed immediately following
receipt of the response.
Other protocols s seconds
If a stateful inspection rule is created from a packet type other than TCP, UDP or ICMP, a rule
timeout should be created for it. The parameter in this text box specifies the length of time
such a rule persists. The timer is restarted each time a packet is processed by the rule.
Other Options
Expire entry after n consecutive packets in one direction
The maximum number of consecutive packets that should pass in one direction before the
corresponding rule entry is expired.
Count missed UDP echo packets as dropped
When checked, this checkbox causes the firewall to increment the dropped packet count for
each failed echo request in the situation where UDP echo is active on an interface that
becomes disconnected.
To Next Page
Loading...
