Digi TransPort WR31 User Manual page 718

Configure security settings
Keeping a route out of service and using recovery
You may want to keep the interface OOS until you are sure that a future connection will work. To do
this, specify one or more recovery options. These options get the router to test connectivity
between the router and the destination IP address of the packet that established the stateful rule.
The recovery can be in the form of a ping or a TCP socket connection. You must also specify an
interval between recovery checks. For example:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60 t=10 c=5 d=10 r=tcp,120
Now the interface is set to OOS for 60 seconds after 5 consecutive failures. After the 60 seconds
elapses, the recovery procedure initiates. In this example, the recovery consists of TCP connection
attempts executed at 2-minute intervals. The interface remains OOS until the recovery procedure
completes successfully. The destination IP address in this case is 10.1.2.1.
To override the default socket connection time, specify an additional recovery option. For example:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60 t=10 c=5 d=10 r=tcp,120,10
Now, 10 seconds is allowed for each recovery attempt. If the socket connects within that time, the
recovery is successful, else the recovery is unsuccessful.
The {rd=x} option disconnects the interface after a recovery attempt completes. Use this option to
deactivate the interface after a recovery failure, success, or either. x is a bitmask indicating when
the interface should be deactivated. Bit 0 deactivates the interface after a recovery failure. Bit 1
deactivates the interface after a recovery success, such as:
rd=1 means deactivate after a recovery failure.
▪
rd=2 means deactivate after a recovery success.
▪
rd=3 means deactivate after either recovery success or recovery failure.
▪
Extending our firewall rule to include this option, the resulting rule is:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60 t=10 c=5 d=10 r=tcp,120,10
rd=3
Now the interface is deactivated after a recovery success or failure.
If the rule does not use the {rd=x} option, the interface remains up until its inactivity timer expires,
or it is deactivated by some other means.
Use the {dt=secs} option to indicate that the interface is to remain OOS when it is disconnected, and
that it should be reactivated some time after it last disconnected. Recovery procedures start after
the interface connects.
Extending our firewall rule to include this option gives:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60 t=10 c=5 d=10 r=tcp,120,10
rd=3 dt=60
Now, the interface reconnects 60 seconds after it disconnects and recovery procedures start after
the interface connects. Normally, use this option with the {rd=x} option so that recovery has control
over when the interface connects and disconnects.
Digi TransPort WR Routers User Guide
Firewall
713