Digi TransPort WR11 User Manual page 781

Configuring security
inspect-state rules are scalable
As another advantage, inspect-state rules are scalable, allowing many machines to use the rule
simultaneously. In the above example:
Many machines on the local network could browse the Internet
n
The inspection engine would dynamically create precise inward filters as required.
n
The inspection engine would close the rules when they are no longer needed.
n
Protocol types on which the inspect-state option is allowed
The inspect-state option is allowed on the following protocol types:
TCP
n
UDP
n
The following ICMP packet types:
n
echo
l
timest
l
inforeq
l
maskreq
l
Use [inspect-state] with flags
You can use the inspect-state option with flags. For example, the original script for setting up a filter
to allow all machines on a local network with addresses in the range 10.1.2.* to access the Internet
on port 80 was:
pass out br eak end f r om 10. 1. 2. 33 por t >1023 t o any por t =t el net
pass i n br eak end f r om any por t =t el net t o 10. 1. 2. 33 por t >1023 f l ags a
Using the inspect-state option, you can replace this script with a single filter rule:
pass out br eak end f r om 10. 1. 2. 33 por t >1023 t o any por t =t el net f l ags s! a i nspect -
st at e
No rule is necessary for the return packets. This is because a temporary filter is created that allows
only inbound packets to pass if they match sessions set up by this stateful inspection rule.
The flags s!a specification
The flags s!a specification ensures that the rule only matches the first packet in a connection. This is
because the first packet in a TCP connection has the SYN flag on and the ACK flag off, and so we only
match on that combination. The stateful inspection engine handles matching the rest of the packets
for this connection.
Use [inspect-state] with ICMP codes
You can also use the [inspect-state] option with ICMP codes. To allow echo requests and allow echo
replies, create one rule:
pass out br eak end on ppp 0 pr ot o i cm p i cm p- t ype echo i nspect - st at e
The advantage of using inspect-state besides simply needing one rule is that it leads to a more secure
firewall. For example:
Digi TransPort® Routers User Guide
Firewall
781