Westermo MR Series User Manual

404

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

match the IP destination and source of the echo request. If you compare this to the rule to allow
echo replies in with out using inspect-state it would not be possible to check the source address at
all and the desti nation address would match any IP address on our network.

The inspect-state option can be used with the following ICMP packet types:

ICMP Type

Matching ICMP Type

Echo

Echo reply

Timest

Timestrep

Inforeq

Inforep

Maskreq

Maskrep

Using [inspect-state] with the Out Of Service Option

15.8.3

The inspect-state field can be used with an optional oos parameter. This parameter allows the
stateful inspect engine to mark as “out of service” any routes that are associated with the specified
interface and also to control how and the interfaces are returned to service. Such routes will only
be marked as out of service if the specified oos option parameters are met. The oos parameter
takes the format:

oos {interface-name¦logical-name} secs {t=secs} {c=count} {d=count}

{r=“ping”|“tcp”{,secs}}

where:

interface-name or logical-name specifies the interface with which the firewall rule is associ ated,

•

e.g. PPP 1. This can also be a logical interface name which is simply a name that can be cre ated
(e.g. “waffle”). When a logical interface name is specified then this name can become oos
(out of service) and can be tested in other firewall rules with the oosed keyword.

secs specifies the length of time in seconds for which the routes that are using the specified

•

inter face are marked as out of service.

{t=secs}is an optional parameter that specifies the length of time in seconds the unit will wait

•

for a response the packet that matched the rule.

{c=count} is an optional parameter that specifies the number of times that the stateful inspec-

•

tion engine must trigger on the rule before the route is marked as out of service.

{d=count} is an optional parameter that specifies the number of times that the stateful inspec-

•

tion engine must trigger on the rule before the interface is deactivated (only applies to PPP
interfaces).

{r=“ping”|“tcp”{,secs{,secs}}} is an optional parameter that specifies a recovery proce dure.

•

When a recovery procedure is specified then after the oos timeout has expired instead of
bringing the interface back into service immediately the link is tested first. It is tested by either
sending a TCP SYN packet or a ping packet to the address/port that caused the oos condition.
The “secs” field specifies the retry time when checking for recovery. Only when the recovery
suc ceeds will interface become in service again.

UDP Example

pass in

pass out

pass out on ppp 1 proto udp from any to 156.15.0.0/16 port=1234

inspect-state oos ppp 1 300 t=10 c=2 d=2

The first two rules simply configure the unit to allow any type of packets to be transmitted or
received (the default action of the firewall is to block all traffic).

The third rule is more complex. What it does is to configure the stateful inspection engine to watch
for UDP packets (with any source address) being routed via the PPP 1 interface to any address that
begins with 156.15 on port 1234. If a hit occurs on this rule but the unit does not detect a reply
within 10 seconds (as specified by the t= parameter), it will increment an internal counter. When
this counter reaches the value set by the c= parameter, the stateful inspection engine will mark the
PPP 1 interface (and therefore any routes using it), as being out of service for 300 seconds. Similarly,
if this counter matches the d= parameter the stateful inspection engine will deactivate PPP 1. So