Digi TransPort WR31 User Manual page 709
Hide thumbs
Also See for TransPort WR31:
- Technical support (26 pages) ,
- User manual (9 pages) ,
- Quick start manual (2 pages)
Table of Contents
Advertisement
Configure security settings
The potential for a security breach is now virtually eliminated, because even if a hacker could time
his attack perfectly he would still have to forge a response packet using the correct source address
and port (which was randomly created by the sender of the HTTP request) and also has to target the
specific IP address that opened the connection.
Another advantage of inspect-state rules is that they are scalable, such as many machines can use
the rule simultaneously. In our above example, many machines on the local network could all
browse the Internet and the inspection engine would be dynamically creating precise inward filters
as they are required and closing them when they are finished with.
You can use the inspect-state option on TCP and UDP protocols and some ICMP packets. The ICMP
types you can use with the inspect-state option are echo, timest, inforeq, and maskreq.
Using [inspect-state] with Flags
As can be seen above, you can use the inspect-state option with flags. To illustrate this, this
example builds on an earlier example of filtering using flags. It is possible to simplify the script by
using the inspect-state option. The original script was:
pass out break end from 10.1.2.33 port>1023 to any port=telnet
pass in break end from any port=telnet to 10.1.2.33 port>1023 flags a!
Using the inspect state option this can be replaced with a single filter rule:
pass out break end from 10.1.2.33 port>1023 to any port=telnet flags
s!a inspect-state
No rule is needed for the return packets because a temporary filter will be created that will only
allow inbound packets to pass if they match sessions set up by this stateful inspection rule.
A further point to note about the new rule is that the flags s!a specification ensures that it only
matches the first packet in a connection. This is because the first packet in a TCP connection has the
SYN flag on and the ACK flag off, and so we only match on that combination. The stateful inspection
engine handles matching the rest of the packets for this connection.
Digi TransPort WR Routers User Guide
Firewall
704
- Quick Links:
- Transport Wr31
- Log in to the Device
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
