User`s guide

ManualsBrandsDigi ManualsComputer equipmentTransPort WR44v2

481

482

483

484

485

486

487

488

489

490

485

The third rule is more complex. What it does is to configure the stateful inspection engine to

watch for UDP packets (with any source address) being routed via the PPP 1 interface to any

address that begins with 156.15 on port 1234. If a hit occurs on this rule but the unit does

not detect a reply within 10 seconds (as specified by the

t= parameter), it will increment an

internal counter. When this counter reaches the value set by the

c= parameter, the stateful

inspection engine will mark the PPP 1 interface (and therefore any routes using it), as being

out of service for 300 seconds. Similarly, if this counter matches the

d= parameter the

stateful inspection engine will deactivate PPP 1. So in the above example, the stateful

inspection engine will mark any routes that use PPP 1 as out of service AND deactivate PPP

1 if no reply is detected within 10 seconds for two packets in a row.

Routes will come back into service when either the specified timeout expires or if there are

no other routes with a higher metric in service.

PPP interfaces will be re-activated when either the routes using them are back in service

and there is a packet to route and the AODI mode parameter is set to “On”.

TCP Example

pass out log break end on ppp 3 proto tcp from any to 192.168.0.1 flags S!A inspect-

state oos 30 t=10 c=2 d=2

pass in

pass out

This rule will specifically trace attempts to open a TCP connection on PPP 3 to the

192.168.0.1 IP address and if it fails within 10 seconds twice in a row, will cause the PPP 3

interface to be flagged as out of service (i.e. its metric will be set to 16), for 30 seconds.

The optional

d=2 entry will also cause the PPP link to be deactivated. Deactivating the link

can be useful in scenarios where renegotiating the PPP connection is likely to resolve the

problem. Again, if a matching route with a higher metric has been defined it will be used

whilst PPP 3 routes are out of service thus providing a powerful route backup mechanism.

Using [inspect-state] with the Stat Option

The inspect-state option can be used with the stat option. The stat option will cause this

firewall rule to record statistics associated with this firewall rule. Transaction times, counts

and errors are recorded under the PPP statistics with this option.

Assigning DSCP Values

When using QOS, packet priorities will be determined by the DSCP values in their TOS

fields. These priorities may have already been assigned but if necessary, the router can be

configured to assign them by inserting the appropriate rules in the firewall. This is done by

using the

dscp command.

For example:

dscp 46 in on eth 0 from 100.100.100.25 to 1.2.3.4 port=4000

would set the DSCP value to 46 for almost any type of packet received on ETH 0 from IP

address 100.100.100.25 addressed to 1.2.3.4 on port 4000. This allows you to set the DSCP

value for almost any type of packet.

As a further example:

dscp 46 in on eth 0 proto smtp from any to any

would cause outgoing mail traffic to the same top priority queue (46 is by default a very

high priority code in the DSCP mappings).