Digi TransPort WR31 User Manual page 719

Configure security settings
Keeping a route out of service and using recovery with a list of addresses
This syntax expands on the functionality above, and checks connectivity to a range of addresses
using a ping command. You can specify an address list that the recovery mechanism will ping in
turn to see if any respond. This helps ensure that even when one, two, or three destinations cannot
be reached due to an outage on the remote network, the connection will be made available again if
at least one of the addresses in the list responds.
The address lists are created using the following syntax:
#addrs <list-name> <address1,address2,address3,address4>
Address lists can span multiple lines if required, for example:
#addrs <list-name> <address1,address2>
#addrs <list-name> <address3,address4>
The address list is called using the recovery option pingl. An example firewall rule is:
pass out break end on PPP 1 proto ICMP from 10.1.1.1 to 10.1.2.1
inspect-state oos 60 t=10 c=5 d=10 r=pingl listA ,120,10 rd=3 dt=60
This rule allows pings outbound, and on detecting a communication failure, it uses pings to a
address list named listA. The address list named listA could look like this:
#addrs listA 10.1.2.1,10.1.3.1,10.1.4.1,10.1.5.1
#addrs listA 10.1.6.1,10.2.1.1,10.2.2.1
This causes the recovery to ping the range of address shown in the list above.
Debugging a firewall
When creating and managing firewall scripts, the scripts may need debugging to ensure that
packets are being processed correctly. To assist in this, you can use a rule with the debug action.
If a rule with the debug action is encountered, an entry is made in the FWLOG.TXT pseudo-file each
time the packet in question matches a rule from that point on. This allows you to follow a packet
through a rule set, and can help determine what, if any, changes are required to the rule set. Rules
specifying the debug action are typically placed near the top of the rule set, so all matching rules
from that point on are entered into the log file.
Entries created in the FWLOG.TXT file as the result of a debug rule can be identified by the short
description FW_DEBUG at the top of the log entry.
An example rule set using a
debug in on ppp 2 proto tcp from any to any port=http
pass in break end proto tcp from any to any port=http flags s/sa
inspect state
pass out break end proto udp
If placed at the top of the rule set, any packet received on interface PPP 2 to destination port 80
generates a debug entry in the log file for each subsequent rule that it matches. In the example rule
set above, a packet that matched the second rule would also match the first rule, and would
therefore create two log entries. The same packet would not match the third rule, and so no log
entry would be made for this rule.
Because of the extra processor time required to add all of these additional log entries, debug rules
should be removed (or commented out) once the rule set is operating as desired.
Digi TransPort WR Routers User Guide
rule:
debug
Firewall
714