User`s guide

ManualsBrandsDigi ManualsComputer equipmentTransPort WR44v2

481

482

483

484

485

486

487

488

489

490

Keeping a route out of service and using recovery with a list of addresses

This expands on the functionality above and gives the ability to check connectivity to a

range of addresses using a ping. It is possible to specify an address list that the recovery

mechanism will ping in turn to see if any respond. This will help ensure that even when 1 or

maybe 2 or 3 destinations cant be reached due to an outage on the remote network, the

connection will be made available again if at least one of the addresses in the list responds.

The address lists are created using the following syntax:

#addrs <list-name> <address1,address2,address3,address4>

Address lists can span multiple lines if required, for example:

#addrs <list-name> <address1,address2>

#addrs <list-name> <address3,address4>

The address list is called using the recovery option pingl. An example firewall rule would be:

pass out break end on PPP 1 proto ICMP from 10.1.1.1 to 10.1.2.1 inspect-state oos 60

t=10 c=5 d=10 r=pingl listA ,120,10 rd=3 dt=60

This rule would allow pings outbound and on detecting a communication failure it will use

pings to a address list named listA. The address list named listA could look like this:

#addrs listA 10.1.2.1,10.1.3.1,10.1.4.1,10.1.5.1

#addrs listA 10.1.6.1,10.2.1.1,10.2.2.1

This causes the recovery to ping the range of address shown in the list above.

Debugging a Firewall

During the creation and management of firewall scripts, firewall scripts may need debugging

to ensure that packets are being processed correctly. To assist in this, a rule with the debug

action may be used.

If a rule with the

debug action is encountered, an entry is made in the FWLOG.TXT pseudo-

file each time the packet in question matches a rule from that point on. This gives the

administrator the ability to follow a packet through a rule set, and can help determine what,

if any, changes are required to the rule set. Rules that specify the

debug action would

typically be placed near the top of the rule set, so that all matching rules from that point on

are entered into the log file.

Entries the FWLOG.TXT file created as the result of a

debug rule may be identified by the

short description “FW_DEBUG” at the top of the log entry.

An example rule set using a

debug rule:

debug in on ppp 2 proto tcp from any to any port=http

pass in break end proto tcp from any to any port=http flags s/sa inspect state

pass out break end proto udp

If placed at the top of the rule set, any packet received on interface PPP 2 to destination

port 80 will generate a debug entry in the log file for each subsequent rule that it matches.

In the example rule set above, a packet that matched the second rule would also match the

first rule, and would therefore create two log entries. The same packet would not match the

third rule, and so no log entry would be made for this rule.

Because of the extra processor time required to add all of these additional log entries,

debug rules should be removed (or commented out) once the rule set is operating as

desired.