Configure security settings
Firewall
Digi TransPort WR Routers User Guide
712
Further [inspect-state] examples
▪
Here is a basic
inspect-state
rule with no OOS options:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state
This rule allows TCP packets from
10.1.1.1
to
10.1.2.1
port
23
with the
SYN
flag set to pass out
on
PPP 2
. Because the rule uses the
inspect-state
option, a stateful rule is set up allowing other
packets for that TCP socket to also pass.
▪
Next, modify the rule to mark an interface OOS, if a stateful rule identifies a failed connection:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60
The addition of
oos 60
means if the stateful rule sees a failure, interface
PPP 2
sets OOS for
60
seconds. If no interface is specified after the
oos
keyword, the interface set to OOS is the one the
packet is currently passing on. You can set a different interface to OOS by specifying the
interface after the
oos
keyword, such as
oos ppp 1 60
to put
PPP 1
out of service for
60
seconds.
▪
To override the default time allowed by the stateful rule for a connection to open, use the
{t=secs}
option. For example, to override the default TCP opening time of
60
seconds to
10
seconds:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60 t=10
A socket now has
10
seconds to become established (such as exchange SYNs) before the stateful
rule expires and is tagged as a failure.
▪
You can configure the firewall so the interface is only set to OOS after a number of consecutive
failures occur. To do this, use the
{c=count}
option. For example:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60 t=10 c=5
PPP 2
will now only be set OOS after
5
consecutive failures.
▪
You can deactivate the interface after a number of consecutive failures. This is useful for WWAN
interfaces, which may get into a state where the PPP connection appears to be operational, but
in fact no packets are passing. In this case, deactivating and reactivating the interface
sometimes fixes the problem. For example:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60 t=10 c=5 d=10
Now,
PPP 2
will be deactivated after
10
consecutive failures.
Summary of Contents for TransPort WR11
Page 1: ...User Guide Digi TransPort WR Routers ...
Page 650: ...Configure system settings NTP parameters Digi TransPort WR Routers User Guide 650 ...
Page 661: ...Configure system settings General system parameters Digi TransPort WR Routers User Guide 661 ...
Page 662: ...Configure system settings General system parameters Digi TransPort WR Routers User Guide 662 ...
Page 663: ...Configure system settings General system parameters Digi TransPort WR Routers User Guide 663 ...
Page 682: ...Configure Remote Management SNMP parameters Digi TransPort WR Routers User Guide 679 ...
Page 683: ...Configure Remote Management SNMP parameters Digi TransPort WR Routers User Guide 680 ...
Page 813: ...Manage networks and connections Top Talkers Digi TransPort WR Routers User Guide 808 ...
Page 814: ...Manage networks and connections Top Talkers Digi TransPort WR Routers User Guide 809 ...
Page 815: ...Manage networks and connections Top Talkers Digi TransPort WR Routers User Guide 810 ...
Page 816: ...Manage networks and connections Top Talkers Digi TransPort WR Routers User Guide 811 ...
Page 817: ...Manage networks and connections Top Talkers Digi TransPort WR Routers User Guide 812 ...
Page 818: ...Manage networks and connections Top Talkers Digi TransPort WR Routers User Guide 813 ...
Page 855: ...Device administration Reboot the router Digi TransPort WR Routers User Guide 844 ...