Firewall configuration
Digi TransPort User Guide 673
UDP example
pass in
pass out
pass out on ppp 1 proto udp from any to 156.15.0.0/16 port=1234 inspect-state oos ppp 1 300
t=10 c=2 d=2
The first two rules simply configure the router to allow any type of packets to be transmitted or
received (the default action of the firewall is to block all traffic).
The third rule is more complex:
• It configures the stateful inspection engine to watch for UDP packets (with any source address)
being routed via the PPP 1 interface to any address that begins with 156.15 on port 1234.
• If a hit occurs on this rule, but the router does not detect a reply within 10 seconds (as
specified by the t= parameter), it increments an internal counter.
• When this counter reaches the value set by the c= parameter, the stateful inspection engine
marks the PPP 1 interface (and therefore any routes using it), as being out of service for 300
seconds.
• Similarly, if this counter matches the d= parameter, the stateful inspection engine deactivates
PPP 1.
• The stateful inspection engine marks any routes that use PPP 1 as out of service AND
deactivates PPP 1 if no reply is detected within 10 seconds for two packets in a row.
• Routes will come back into service when either the specified timeout expires or if there are no
other routes with a higher metric in service.
• PPP interfaces will be re-activated when either the routes using them are back in service and
there is a packet to route and the AODI mode parameter is set to On.
TCP example
pass out log break end on ppp 3 proto tcp from any to 192.168.0.1 flags S!A inspect-state
oos 30 t=10 c=2 d=2
pass in
pass out
• This rule specifically traces attempts to open a TCP connection on PPP 3 to the 192.168.0.1 IP
address and if it fails within 10 seconds twice in a row, will cause the PPP 3 interface to be
flagged as out of service (such as its metric will be set to 16), for 30 seconds.
• The optional d=2 entry will also cause the PPP link to be deactivated. Deactivating the link can
be useful in scenarios where renegotiating the PPP connection is likely to resolve the problem.
• Again, if a matching route with a higher metric has been defined it will be used while PPP 3
routes are out of service, thus providing a powerful route backup mechanism.
Using [inspect-state] with the stat option
The inspect-state option can be used with the stat option. The stat option will cause this firewall
rule to record statistics associated with this firewall rule. Transaction times, counts and errors are
recorded under the PPP statistics with this option.
To Next Page
Loading...
