Digi TransPort WR11 User Manual page 779

Configuring security
[inspect-state]
The [inspect-state] firewall script field creates rules for stateful inspection. This is a powerful option
in which the firewall script includes rules that allow the router to keep track of a TCP/UDP or ICMP
session and therefore to only pass packets that match the state of a connection.
You can also use the [inspect-state] field to specify an optional OOS (Out Of Service) parameter. The
router uses this parameter to mark any route as being out-of-service for a given period of time in the
event that the stateful inspect engine has detected an error.
[inspect] field syntax
The [inspect] field has the following syntax
i nspect = [ " i nspect - st at e" { " oos" { i nt er f ace- nam e¦ l ogi cal - nam e} secs { t =secs}
{ c=count } { d=count } } { r =" pi ng" ¦ " t cp" { , secs{ secs} } } { r d=x} { dt =secs} { st at } ]
You can use the [inspect] field on its own, or with an optional oos (Out Of Service) parameter.
Using stateful inspection in firewall rules
The Digi routing code stack contains a sophisticated scripted stateful firewall and route inspection
engine. Stateful inspection is a powerful tool allowing the router to keep track of a TCP/UDP or ICMP
session and match packets based on the state of the connection on which they are being carried. In
addition to providing sophisticated firewall functionality, the SF/RI engine also provides a number of
facilities for tracking the health of routes, marking dead routes as being Out Of Service (OOS) and
creating rules for the automatic status checking of routes previously marked as OOS (for use in
multilevel backup/restore scenarios).
You can use the firewall to put interfaces into an OOS state, and control how the interfaces return to
service. When an interface goes OOS, all routes configured to use that interface will have their route
metric set to 16 (the maximum value), meaning that some other route with a lower metric will be
selected.
When a firewall stateful inspection rule expires, a decision is made as to whether the traffic being
allowed to pass by this rule completed successfully or not. For example, if the stateful rule monitors
SYN and FIN packets in both directions for a TCP socket then that rule will expire successfully.
However, if SYNs are seen to pass in one direction but no SYNs pass in the other direction, the stateful
rule will expire and the router will tag this as a failure.
Conditions that tag a stateful rule as a failure
The following conditions tag a stateful rule as a failure:
Packets have only passed in one direction.
n
Ten packets have passed in one direction with no return packets. For TCP, these packets must
n
also be retransmit packets.
How stateful rules can improve firewall security
To better understand how to use stateful inspection, consider setting up a filter to allow all machines
on a local network with addresses in the range 10.1.2.* to access the Internet on port 80. This
example requires one rule to filter the outgoing packets and another rule to filter the responses. At a
minimum, the firewall rules to achieve this are as follows:
pass out br eak end on ppp 0 f r om 10. 1. 2. 0/ 24 t o any por t =80
pass i n br eak end on ppp 0 f r om any por t =80 t o 10. 1. 2. 0/ 24
In this example:
Digi TransPort® Routers User Guide
Firewall
779