User`s guide

ManualsBrandsDigi ManualsComputer equipmentTransPort WR44v2

481

482

483

484

485

486

487

488

489

490

488

Dest Port: 23

TCP Flags: S

Further [inspect-state] Examples

Here is a basic inspect-state rule with no OOS options:

pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1 port=telnet flags S!A

inspect-state

This rule will allow TCP packets from 10.1.1.1 to 10.1.2.1 port 23 with the SYN flag set to

pass out on PPP 2. Because the

inspect-state option is used, a stateful rule will also be set

up which allows other packets for that TCP socket to also pass.

Next, we will modify the rule to mark an interface OOS if a stateful rule identifies a failed

connection:

pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1 port=telnet flags S!A

inspect-state oos 60

The addition of oos 60 means that if the stateful rule sees a failure, interface PPP 2 will be

set OOS for 60 seconds. If no interface is specified after the

oos keyword, the interface set

to OOS will be the one the packet is currently passing on. It is possible to OOS a different

interface by specifying the interface after the

oos keyword, e.g. oos ppp 1 60 to put PPP 1

out of service for 60 seconds.

The default time allowed by the stateful rule for a connection to open may be overridden by

using the

{t=secs} option. E.g. To override the default TCP opening time of 60 seconds to

10 seconds:

pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1 port=telnet flags S!A

inspect-state oos 60 t=10

A socket will now only have 10 seconds to become established (i.e. exchange SYNs) before

the stateful rule will expire and be tagged as a failure.

It is possible to configure the firewall so that the interface is only set to OOS after a number

of consecutive failures occur. To do this, use the

{c=count} option. For example:

pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1 port=telnet flags S!A

inspect-state oos 60 t=10 c=5

PPP 2 will now only be set OOS after 5 consecutive failures.

It is possible to deactivate the interface after a number of consecutive failures. This is useful

for WWAN interfaces, which may get into a state where the PPP connection appears to be

operational, but in fact no packets are passing. In this case, deactivating and reactivating

the interface will sometimes fix the problem.

For example:

pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1 port=telnet flags S!A

inspect-state oos 60 t=10 c=5 d=10

Now, PPP 2 will be deactivated after 10 consecutive failures.