Profiles

Most settings in the FireBrick are subject to a profile, the default being 24/7. A profile simply defines if the setting is active or not. When not active, the setting is completely disregarded. As most settings are checked in order, this means the setting will not match, and checking will continue to another match later.

There are 3 pre-defined profiles in addition to the ones that can be set manually - these include 24/7 (always on), 9-5 M-F (9am to 5pm Monday-Friday), 2am Sun (2am to 3am on Sunday). In addition, all profiles may also be selected for their "off" state, e.g. "Not 24/7" or "Not 9-5 M-F".

At any time a profile is active or inactive. This can be controlled by a simple master switch on the profile, or can be based on specific times of day and day of week, or based on the response of a particular host (responding to pings).

Master switch

Each profile has options for permanently enabled and permanently disabled. These settings affect the filter state regardless of the other options selected (such as ping IP, time settings, etc).

These profiles are shown on the quick setup page with a cheque box allowing them to be quickly changed.

Time controlled

The time profile is only available if the clock is set. When the clock is not set, the profile remains in its previous state. Time controls are set for each hour or each day of the week, and change on the hour.

Time setting profile

The time setting function is controlled using a time profile, resulting in a chicken & egg problem. To resolve this, the time setting function disregards the profile if a time based profile is used, and the time is not yet set. This means time setting is tried periodically for several minutes at a time until it is set.

Ping scanning

The ping scanning option is a profile which is active while a specified host is reponding to a ping.

Pings are only performed during the selected times, or anytime if the clock is not set.

This means that a host will have to ignored several pings in a row at one second intervals to be considered unresponsive.

You can select not only the IP to ping, but the interface and if required the gateway router address - this is necessary if the ping scan itself affects routing, and you would otherwise continue pinging via a backup interface!. You can also select TTL to limit the distance the ping will go.

Changes

A change to a profile will have immediate effect on the rest of the operation of the FireBrick. However, bear in mind the time when filters and routers are tested - at the start of a session. As such the removal of a filter will not make a session invalid. Also, the removal of a subnet will stop the FireBrick answering ARPs for that subnet, but will not clear other devices caches of the ARP previously given.

A special case is traffic shaping rules which regularly check the validity of shaping rules and re-assign sessions on the fly. This may take several seconds to respond, but allows traffic shaping based on time profiles to be effective.

In addition a profile can have a re-route flag set which means a change in the profile causes all routed sessisons to be re-evaluated when the profile changes. This is used for ISDn backups using the same IPs as it allows re-routing of existing sessions.

Type of ping

A standard ICMP echo request is used, with TOS 4 (high reliability), and no payload.

Pinging via specific interfaces

Because ping scanning is often used as the basis for changing routing - e.g. making use of a backup ISDN router when a leased line goes down, etc, it is often necessary to force the routing of the ping allowing the faulty route to continue to be monitored. As such the interface and gateway IP can optionally be pre-defined. Normal routing rules are followed within these constraints.

ALERT LED

A profile can also be set to affect the ALERT LED, setting it on solid red if the profile is active, or inactive as required. If any profile causes the LED to be on, then it is on regardless of blinking or flashing settings.