User`s guide

ManualsBrandsDigi ManualsComputer equipmentTransPort WR44v2

481

482

483

484

485

486

487

488

489

490

484

The

inspect-state option can be used with the following ICMP packet types:

ICMP Type

Matching ICMP Type

Echo Echo reply

Timest Timestrep

Inforeq Inforep

Maskreq Maskrep

Using [inspect-state] with the Out Of Service Option

The inspect-state field can be used with an optional oos parameter. This parameter allows

the stateful inspect engine to mark as “out of service” any routes that are associated with

the specified interface and also to control how and the interfaces are returned to service.

Such routes will only be marked as out of service if the specified oos option parameters are

met. The

oos parameter takes the format:

oos {interface-name¦logical-name} secs {t=secs} {c=count} {d=count}

{r=“ping”|“tcp”{,secs}}

where:

interface-name or logical-name specifies the interface with which the firewall rule is

associated, e.g. PPP 1. This can also be a logical interface name which is simply a name that

can be created (e.g. “waffle”). When a logical interface name is specified then this name can

become oos (out of service) and can be tested in other firewall rules with the

oosed

keyword.

secs specifies the length of time in seconds for which the routes that are using the specified

interface are marked as out of service.

{t=secs} is an optional parameter that specifies the length of time in seconds the unit will

wait for a response the packet that matched the rule.

{c=count} is an optional parameter that specifies the number of times that the stateful

inspection engine must trigger on the rule before the route is marked as out of service.

{d=count} is an optional parameter that specifies the number of times that the stateful

inspection engine must trigger on the rule before the interface is deactivated (only applies

to PPP interfaces).

{r=“ping”|“tcp”{,secs{,secs}}} is an optional parameter that specifies a recovery

procedure. When a recovery procedure is specified then after the oos timeout has expired

instead of bringing the interface back into service immediately the link is tested first. It is

tested by either sending a TCP SYN packet or a ping packet to the address/port that caused

the oos condition. The “secs” field specifies the retry time when checking for recovery. Only

when the recovery succeeds will interface become in service again.

UDP Example

pass in

pass out

pass out on ppp 1 proto udp from any to 156.15.0.0/16 port=1234 inspect-state oos ppp

1 300 t=10 c=2 d=2

The first two rules simply configure the unit to allow any type of packets to be transmitted

or received (the default action of the firewall is to block all traffic).