Digi TransPort WR11 User Manual page 784

Configuring security
The third rule is more complex:
n
It configures the stateful inspection engine to watch for UDP packets (with any source
l
address) being routed via the PPP 1 interface to any address that begins with 156.15 on
port 1234.
If a hit occurs on this rule, but the router does not detect a reply within 10 seconds (as
l
specified by the t= parameter), it increments an internal counter.
When this counter reaches the value set by the c= parameter, the stateful inspection
l
engine marks the PPP 1 interface (and therefore any routes using it), as being out of
service for 300 seconds.
Similarly, if this counter matches the d= parameter, the stateful inspection engine
l
deactivates PPP 1.
The stateful inspection engine marks any routes that use PPP 1 as out of service AND
l
deactivates PPP 1 if no reply is detected within 10 seconds for two packets in a row.
Routes come back into service when either the specified timeout expires or if there are no
l
other routes with a higher metric in service.
PPP interfaces re-activate when the routes using them are back in service and there is a
l
packet to route and the AODI mode parameter is set to On.
Example: using the oos parameter for TCP packets
An example set of firewall rules for TCP packets that uses the oos parameter is:
pass out l og br eak end on ppp 3 pr ot o t cp f r om any t o 192. 168. 0. 1 f l ags S! A
i nspect - st at e oos 30 t =10 c=2 d=2
pass i n
pass out
This rule specifically traces attempts to open a TCP connection on PPP 3 to the 192.168.0.1 IP
n
address and if it fails within 10 seconds twice in a row, will cause the PPP 3 interface to be
flagged as out of service (such as its metric will be set to 16), for 30 seconds.
The optional d=2 entry also deactivates the PPP link. Deactivating the link can be useful in
n
scenarios where renegotiating the PPP connection is likely to resolve the problem.
If a matching route with a higher metric is defined, the router uses it while PPP 3 routes are
n
out of service, thus providing a powerful route backup mechanism.
Use [inspect-state] with the stat option
You can use the inspect-state with the stat option. The stat option causes this firewall rule to record
statistics associated with this firewall rule. Transaction times, counts and errors are recorded under
the PPP statistics with this option.
Create a basic inspect-state rule with no out of service options
This example firewall rule allows TCP packets from 10.1.1.1 to 10.1.2.1 port 23 with the SYN flag set
to pass out on PPP 2. Because the rule uses the inspect-state field, a stateful rule is set up allowing
other packets for that TCP socket to also pass.
pass out br eak end on PPP 2 pr ot o TCP f r om 10. 1. 1. 1 t o 10. 1. 2. 1 por t =t el net f l ags
S! A i nspect - st at e
Digi TransPort® Routers User Guide
Firewall
784