Firewall configuration
Digi TransPort User Guide 678
Further [inspect-state] examples
• Here is a basic inspect-state rule with no OOS options:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1 port=telnet flags S!A
inspect-state
This rule allows TCP packets from 10.1.1.1 to 10.1.2.1 port 23 with the SYN flag set to pass out
on PPP 2. Because the inspect-state option is used, a stateful rule will also be set up which
allows other packets for that TCP socket to also pass.
• Next, we will modify the rule to mark an interface OOS, if a stateful rule identifies a failed
connection:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1 port=telnet flags S!A
inspect-state oos 60
The addition of oos 60 means if the stateful rule sees a failure, interface PPP 2 will be set OOS
for 60 seconds. If no interface is specified after the oos keyword, the interface set to OOS will
be the one the packet is currently passing on. It is possible to OOS a different interface by
specifying the interface after the oos keyword, such as oos ppp 1 60 to put PPP 1 out of
service for 60 seconds.
• The default time allowed by the stateful rule for a connection to open can be overridden by
using the {t=secs} option. Such as, to override the default TCP opening time of 60 seconds to
10 seconds:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1 port=telnet flags S!A
inspect-state oos 60 t=10
A socket will now only have 10 seconds to become established (such as exchange SYNs) before
the stateful rule will expire and be tagged as a failure.
• It is possible to configure the firewall so that the interface is only set to OOS after a number of
consecutive failures occur. To do this, use the {c=count} option. For example:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1 port=telnet flags S!A
inspect-state oos 60 t=10 c=5
PPP 2 will now only be set OOS after 5 consecutive failures.
• It is possible to deactivate the interface after a number of consecutive failures. This is useful
for WWAN interfaces, which may get into a state where the PPP connection appears to be
operational, but in fact no packets are passing. In this case, deactivating and reactivating the
interface will sometimes fix the problem. For example:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1 port=telnet flags S!A
inspect-state oos 60 t=10 c=5 d=10
Now, PPP 2 will be deactivated after 10 consecutive failures.
To Next Page
Loading...
