beautypg.com

Debugging a firewall 15.11 – Westermo MR Series User Manual

Page 410

background image

410

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

a address list named listA. The address list named listA could look like this:

#addrs listA 10.1.2.1,10.1.3.1,10.1.4.1,10.1.5.1

#addrs listA 10.1.6.1,10.2.1.1,10.2.2.1

This causes the recovery to ping the range of address shown in the list above.

Debugging a Firewall

15.11

During the creation and management of firewall scripts, firewall scripts may need debugging to
ensure that packets are being processed correctly. To assist in this, a rule with the debug action may
be used. If a rule with the debug action is encountered, an entry is made in the FWLOG.TXT pseu-
do-file each time the packet in question matches a rule from that point on. This gives the adminis-
trator the ability to follow a packet through a rule set, and can help determine what, if any, changes
are required to the rule set. Rules that specify the debug action would typically be placed near the
top of the rule set, so that all matching rules from that point on are entered into the log file.

Entries the FWLOG.TXT file created as the result of a debug rule may be identified by the short
description “FW_DEBUG” at the top of the log entry.

An example rule set using a debug rule:

debug in on ppp 2 proto tcp from any to any port=http

pass in break end proto tcp from any to any port=http flags s/sa

inspect statepass out break end proto udp

If placed at the top of the rule set, any packet received on interface PPP 2 to destination port 80
will generate a debug entry in the log file for each subsequent rule that it matches. In the example
rule set above, a packet that matched the second rule would also match the first rule, and would
therefore cre ate two log entries. The same packet would not match the third rule, and so no log
entry would be made for this rule.

Because of the extra processor time required to add all of these additional log entries, debug rules
should be removed (or commented out) once the rule set is operating as desired.

This manual is related to the following products:
See also other documents in the category Westermo Equipment: