Digi TransPort WR31 User Manual page 717
Hide thumbs
Also See for TransPort WR31:
- Technical support (26 pages) ,
- User manual (9 pages) ,
- Quick start manual (2 pages)
Table of Contents
Advertisement
Configure security settings
Further [inspect-state] examples
Here is a basic inspect-state rule with no OOS options:
▪
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state
This rule allows TCP packets from 10.1.1.1 to 10.1.2.1 port 23 with the SYN flag set to pass out
on PPP 2. Because the rule uses the inspect-state option, a stateful rule is set up allowing other
packets for that TCP socket to also pass.
Next, modify the rule to mark an interface OOS, if a stateful rule identifies a failed connection:
▪
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60
The addition of oos 60 means if the stateful rule sees a failure, interface PPP 2 sets OOS for 60
seconds. If no interface is specified after the oos keyword, the interface set to OOS is the one the
packet is currently passing on. You can set a different interface to OOS by specifying the
interface after the oos keyword, such as oos ppp 1 60 to put PPP 1 out of service for 60 seconds.
To override the default time allowed by the stateful rule for a connection to open, use the
▪
{t=secs} option. For example, to override the default TCP opening time of 60 seconds to 10
seconds:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60 t=10
A socket now has 10 seconds to become established (such as exchange SYNs) before the stateful
rule expires and is tagged as a failure.
You can configure the firewall so the interface is only set to OOS after a number of consecutive
▪
failures occur. To do this, use the {c=count} option. For example:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60 t=10 c=5
PPP 2 will now only be set OOS after 5 consecutive failures.
You can deactivate the interface after a number of consecutive failures. This is useful for WWAN
▪
interfaces, which may get into a state where the PPP connection appears to be operational, but
in fact no packets are passing. In this case, deactivating and reactivating the interface
sometimes fixes the problem. For example:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60 t=10 c=5 d=10
Now, PPP 2 will be deactivated after 10 consecutive failures.
Digi TransPort WR Routers User Guide
Firewall
712
- Quick Links:
- Transport Wr31
- Log in to the Device
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
