Firewall configuration
Digi TransPort User Guide 671
Using [inspect-state] with ICMP
The [inspect-state] option can be also used with ICMP codes. To allow the use of echo request
and to allow echo replies you would have just the one rule:
pass out break end on ppp 0 proto icmp icmp-type echo inspect-state
The advantage of using inspect-state, other than just needing one rule, is that it leads to a more
secure firewall. For instance with the inspect-state option, the echo replies are not allowed in all
the time; they are only allowed in once an echo request has been sent out on that interface. The
moment that a valid echo reply comes back (or there is a timeout), echo replies will again be
blocked. Furthermore, the full IP address is checked; the IP source and destination must exactly
match the IP destination and source of the echo request. If you compare this to the rule to allow
echo replies in without using inspect-state, it would not be possible to check the source address
at all and the destination address would match any IP address on our network.
The inspect-state option can be used with the following ICMP packet types:
ICMP Type Matching ICMP Type
Echo Echo reply
Timest Timestrep
Inforeq Inforep
Maskreq Maskrep
To Next Page
Loading...
