Firewall configuration
Digi TransPort User Guide 681
Debugging a firewall
When creating and managing firewall scripts, the scripts may need debugging to ensure that
packets are being processed correctly. To assist in this, a rule with the debug action can be used.
If a rule with the debug action is encountered, an entry is made in the FWLOG.TXT pseudo-file
each time the packet in question matches a rule from that point on. This gives the administrator
the ability to follow a packet through a rule set, and can help determine what, if any, changes are
required to the rule set. Rules that specify the debug action are typically placed near the top of
the rule set, so all matching rules from that point on are entered into the log file.
Entries created in the FWLOG.TXT file as the result of a debug rule can be identified by the short
description FW_DEBUG at the top of the log entry.
An example rule set using a
debug rule:
debug in on ppp 2 proto tcp from any to any port=http
pass in break end proto tcp from any to any port=http flags s/sa inspect state
pass out break end proto udp
If placed at the top of the rule set, any packet received on interface PPP 2 to destination port 80
generate a debug entry in the log file for each subsequent rule that it matches. In the example
rule set above, a packet that matched the second rule would also match the first rule, and would
therefore create two log entries. The same packet would not match the third rule, and so no log
entry would be made for this rule.
Because of the extra processor time required to add all of these additional log entries, debug
rules should be removed (or commented out) once the rule set is operating as desired.
To Next Page
Loading...
