Digi TransPort WR31 User Manual page 710
Hide thumbs
Also See for TransPort WR31:
- Technical support (26 pages) ,
- User manual (9 pages) ,
- Quick start manual (2 pages)
Table of Contents
Advertisement
Configure security settings
Using [inspect-state] with ICMP
You can also use the [inspect-state] option with ICMP codes. To allow using echo request and allow
echo replies, create one rule:
pass out break end on ppp 0 proto icmp icmp-type echo inspect-state
The advantage of using inspect-state, other than just needing one rule, is that it leads to a more
secure firewall. For instance with the inspect-state option, the echo replies are not allowed in all
the time; they are only allowed in once an echo request has been sent out on that interface. The
moment that a valid echo reply comes back (or there is a timeout), echo replies will again be
blocked. Furthermore, the full IP address is checked; the IP source and destination must exactly
match the IP destination and source of the echo request. If you compare this to the rule to allow
echo replies in without using inspect-state, it would not be possible to check the source address at
all and the destination address would match any IP address on our network.
You can use the inspect-state option with the following ICMP packet types:
ICMP type
Echo
Timest
Inforeq
Maskreq
Digi TransPort WR Routers User Guide
Matching ICMP type
Echo reply
Timestrep
Inforep
Maskrep
Firewall
705
- Quick Links:
- Transport Wr31
- Log in to the Device
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
