User`s guide
489
Keeping a route out of service and using recovery
It may be that the user wants to keep the interface OOS until he is sure that a future
connection will work. To help achieve this, one or more recovery options may be specified.
These options get the unit to test connectivity between the unit and the destination IP
address of the packet that established the stateful rule. The recovery can be in the form of a
PING or a TCP socket connection. An interval between recovery checks must also be
specified. For example:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1 port=telnet flags S!A
inspect-state oos 60 t=10 c=5 d=10 r=tcp,120
Now the interface will be set to OOS for 60 seconds after 5 consecutive failures. After the 60
seconds elapses, the recovery procedure will be initiated. In this example the recovery will
consist of TCP connection attempts executed at 2 minute intervals. The interface will remain
OOS until the recovery procedure completes successfully. The destination IP address in this
case will be 10.1.2.1.
To override the default socket connection time, it is possible to specify an additional
recovery option. For example:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1 port=telnet flags S!A
inspect-state oos 60 t=10 c=5 d=10 r=tcp,120,10
Now, 10 seconds is allowed for each recovery attempt. If the socket connects within that
time, the recovery is successful, else the recovery is unsuccessful.
There is also an option
{rd=x} to disconnect the interface after a recovery attempt
completes. This option can be used to deactivate the interface after a recovery failure,
success, or either. “
x” is a bitmask indicating the cases where the interface should be
deactivated. Bit 0 is used to deactivate the interface after a recovery failure. Bit one is used
to deactivate the interface after a recovery success, i.e.
• rd=1 – means deactivate after a recovery failure
• rd=2 – means deactivate after a recovery success
• rd=3 – means deactivate after either recovery success or recovery failure
Extending our firewall rule to include this option gives:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1 port=telnet flags S!A
inspect-state oos 60 t=10 c=5 d=10 r=tcp,120,10 rd=3
Now the interface will be deactivated after a recovery success or failure.
If the
{rd=x} option is not used, the interface will remain up until its inactivity timer expires,
or it is deactivated by some other means.
The
{dt=secs} option may be used to indicate that the interface is to remain OOS when it is
disconnected, and that it should be reactivated some time after it last disconnected.
Recovery procedures will take place after the interface connects.
Extending our firewall rule to include this option gives:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1 port=telnet flags S!A
inspect-state oos 60 t=10 c=5 d=10 r=tcp,120,10 rd=3 dt=60
Now the interface will be reconnected 60 seconds after it disconnects and recovery
procedures will start after the interface connects. This option would normally be used with
the
{rd=x} option so that recovery has control over when the interface connects and
disconnects.