271
6620-3201
a packet to route and the AODI mode parameter is set to “On”.
TCP Example
pass out log break end on ppp 3 proto tcp from any to 192.168.0.1 fl ags
S!Ainspect-state oos 30 t=10 c=2 d=2pass inpass out
This rule will speci
fi
cally trace attempts to open a TCP connection on PPP 3 to the 192.168.0.1 IP
address and if it fails within 10 seconds twice in a row, will cause the PPP 3 interface to be
fl
agged as
out of service (i.e. its metric will be set to 16), for 30 seconds. The optional
d=2
entry will also cause
the PPP link to be deactivated. Deactivating the link can be useful in scenarios where renegotiating
the PPP connection is likely to resolve the problem. Again, if a matching route with a higher metric
has been de
fi
ned it will be used whilst PPP 3 routes are out of service thus providing a powerful route-
backup mechanism.
13.8.4 Using [inspect-state] with the Stat Option
The
inspect-state
option can be used with the
stat
option. The
stat
option will cause this
fi
rewall rule to record statistics associated with this
fi
rewall rule. Transaction times, counts and errors
are recorded under the PPP statistics with this option.
13.8.5 Assigning DSCP Values
When using QOS, packet priorities will be determined by the DSCP values in their TOS
fi
elds. These
priorities may have already been assigned but if necessary, the router can be con
fi
gured to assign
them by inserting the appropriate rules in the
fi
rewall. This is done by using the
dscp
command.
For example:
dscp 46 in on eth 0 from 100.100.100.25 to 1.2.3.4 port=4000
would set the DSCP value to 46 for almost any type of packet received on ETH 0 from IP address
100.100.100.25 addressed to 1.2.3.4 on port 4000. This allows you to set the DSCP value for almost
any type of packet.
As a further example:
dscp 46 in on eth 0 proto smtp from any to any
would cause outgoing mail traf
fi
c to the same top priority queue (46 is by default a very high priority
code in the DSCP mappings).
