Digi TransPort WR11 User Manual page 785
Hide thumbs
Also See for TransPort WR11:
- Manual (20 pages) ,
- Installation manual (17 pages) ,
- Quick start quide (2 pages)
Table of Contents
Advertisement
Configuring security
Create a rule to mark and interface out of service
Using the above basic inspect-state rule, you can modify the rule to mark an interface out of service if
a stateful rule identifies a failed connection:
pass out br eak end on PPP 2 pr ot o TCP f r om 10. 1. 1. 1 t o 10. 1. 2. 1 por t =t el net f l ags
S! A i nspect - st at e oos 60
The addition of oos 60 means if the stateful rule sees a failure, interface PPP 2 sets the PPP 2
interface out of service for 60 seconds. If no interface is specified after the oos keyword, the interface
set to out of service is the one on which the packet is currently passing.
You can set a different interface to out of service by specifying the interface after the oos keyword.
For example, oos ppp 1 60 sets interface PPP 1 out of service for 60 seconds.
Override the default time in a stateful rule
To override the default time allowed by the stateful rule for a connection to open, use the {t=secs}
option. For example, to override the default TCP opening time of 60 seconds to 10 seconds:
pass out br eak end on PPP 2 pr ot o TCP f r om 10. 1. 1. 1 t o 10. 1. 2. 1 por t =t el net f l ags
S! A i nspect - st at e oos 60 t =10
A socket now has 10 seconds to become established (such as exchange SYNs) before the stateful rule
expires and is tagged as a failure.
Set an interface to out of service after consecutive failures
You can configure the firewall so the interface is only set to out of service after a number of
consecutive failures occur. To do this, use the {c=count} option. For example:
pass out br eak end on PPP 2 pr ot o TCP f r om 10. 1. 1. 1 t o 10. 1. 2. 1 por t =t el net f l ags
S! A i nspect - st at e oos 60 t =10 c=5
PPP 2 will now only be set to out of service after 5 consecutive failures.
Deactivate an interface after consecutive failures
You can deactivate the interface after a number of consecutive failures. This is useful for WWAN
interfaces, which may get into a state where the PPP connection appears to be operational, but in
fact no packets are passing. In this case, deactivating and reactivating the interface sometimes fixes
the problem. For example:
pass out br eak end on PPP 2 pr ot o TCP f r om 10. 1. 1. 1 t o 10. 1. 2. 1 por t =t el net f l ags
S! A i nspect - st at e oos 60 t =10 c=5 d=10
Now, PPP 2 will be deactivated after 10 consecutive failures.
Digi TransPort® Routers User Guide
Firewall
785
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
