Further [inspect-state] examples 15.10 – Westermo MR Series User Manual
Page 408
408
6622-3201
Web Interface and Command Line Reference Guide
www.westermo.com
Source IP: 100.100.100.25
Dest IP: 100.100.100.50
ID: 13317
TTL: 128
Protocol: TCP
Source Port: 1441
Dest Port: 23
TCP Flags: S
Further [inspect-state] Examples
15.10
Here is a basic inspect-state rule with no OOS options:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state
This rule will allow TCP packets from 10.1.1.1 to 10.1.2.1 port 23 with the SYN flag set to pass out
on PPP 2. Because the inspect-state option is used, a stateful rule will also be set up which allows
other packets for that TCP socket to also pass.
Next, we will modify the rule to mark an interface OOS if a stateful rule identifies a failed connec-
tion:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60
The addition of oos 60 means that if the stateful rule sees a failure, interface PPP 2 will be set OOS
for 60 seconds. If no interface is specified after the oos keyword, the interface set to OOS will be
the one the packet is currently passing on.
It is possible to OOS a different interface by specifying the interface after the oos keyword, e.g. oos
ppp 1 60 to put PPP 1 out of service for 60 seconds.
The default time allowed by the stateful rule for a connection to open may be overridden by using
the{t=secs} option. E.g. To override the default TCP opening time of 60 seconds to 10 seconds:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60 t=10
A socket will now only have 10 seconds to become established (i.e. exchange SYNs) before the
state ful rule will expire and be tagged as a failure.
It is possible to configure the firewall so that the interface is only set to OOS after a number of
consec utive failures occur. To do this, use the {c=count} option. For example:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60 t=10 c=5
PPP 2 will now only be set OOS after 5 consecutive failures.
It is possible to deactivate the interface after a number of consecutive failures. This is useful for
W WAN interfaces, which may get into a state where the PPP connection appears to be operational,
but in fact no packets are passing. In this case, deactivating and reactivating the interface will some-
times fix the problem.
For example:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60 t=10 c=5 d=10
Now, PPP 2 will be deactivated after 10 consecutive failures.
Keeping a route out of service and using recovery
It may be that the user wants to keep the interface OOS until he is sure that a future connection
will work. To help achieve this, one or more recovery options may be specified. These options get
the unit to test connectivity between the unit and the destination IP address of the packet that
established the stateful rule. The recovery can be in the form of a PING or a TCP socket connec-
tion. An interval between recovery checks must also be specified. For example:
pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1
port=telnet flags S!A inspect-state oos 60 t=10 c=5 d=10 r=tcp,120