Search
	display results
words begin exact words any words part
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] TCP Timeout question

To: "'Cihan Subasi \(Garanti Teknoloji\)'" <[email protected]>
Subject: RE: [FW1] TCP Timeout question
From: "Jeff Hochberg" <[email protected]>
Date: Tue, 3 Oct 2000 11:10:27 -0400
Cc: "'Firewall-1 Mailing List \(E-mail\)'" <[email protected]>
Importance: Normal
In-reply-to: <[email protected]>
Sender: [email protected]
>From Nokia's Knowledge Base:

TCP Services in FireWall-1 4.0 and later
For simple TCP services, add the following line (including the comma) in
$FWDIR/lib/init.def:

ADD_TCP_TIMEOUT(port,timeout),

Right before the line that says:

ADD_TCP_TIMEOUT(0,0)

Where port specifies the TCP port and timeout specifies the number of
seconds. The (0,0) setting indicates that the table was already initialized,
since each packet going through inspect will try to initialize the table.

If you want to set a timeout past 7200 seconds (2 hours), then you must do
the timeout as a multiple of a number less than 7200. For example, if you
want to enable telnet (port 23) to have a timeout of 4 hours, you would add
the following line:

ADD_TCP_TIMEOUT(23,3600*4),

If you want to set the FTP Control Connection timeout, add the following
line on the management module in $FWDIR/lib/init.def:

#define FTP_CONTROL_TIMEOUT timeout

where timeout is the timeout value in seconds. FTP_CONTROL_TIMEOUT is
defined in init.def to take on the value of TCP_TIMEOUT, if it is not
already defined. Again, if you want this to be beyond 2 hours, apply the
trick above.

For other non-simple TCP services that FireWall-1 handles (e.g. RealAudio or
SQLNet 2), you will need to search through $FWDIR/lib/*.def (and
$FWDIR/lib30/*.def in FireWall-1 4.x) for code that relates to that service
and change occurences of TCP_TIMEOUT to whatever value (in seconds) you want
the service to have.

If you are running NAT, see the NAT-specific notes below.

TCP Services in FireWall-1 3.x

In FireWall-1 3.0, the base.def, the following macro will need to be
changed:

#define TCP_ESTABLISHED_RECORD(con,key,type) \
( \ \
((type & _TCP_ESTABLISHED) = 0, not_first, \
set type (type | _TCP_ESTABLISHED), \
record in connections \
) or 1 \ \
)

This macro establishes the TCP Timeout for simple TCP connections. For the
connection, it records TCP_TIMEOUT as the timeout value for the connection
in this case, it will be 1800 seconds as set by the GUI.

If you want http to have a timeout of 100 seconds, change it so it reads:

#define TCP_ESTABLISHED_RECORD(con,key,type) \
( \
((type & _TCP_ESTABLISHED) = 0, not_first, \
set type (type | _TCP_ESTABLISHED), \
((dport = 80, record in connections) \
or record in connections) \
) or 1 \
)

This means:

When the destination port is 80 (i.e. HTTP connections), set the timeout to
100 seconds. For all other connections, set the timeout to TCP_TIMEOUT
seconds

If you want the timeout to be beyond two hours, do the timeout as a multiple
(e.g. 3600*4 as shown above).

For non-simple TCP services that FireWall-1 handles (e.g. RealAudio), you
will need to search through $FWDIR/lib/*.def for code that relates to that
service and change occurences of TCP_TIMEOUT to whatever value (in seconds)
you want the service to have.

If you are using NAT, see the NAT-specific changes below.

UDP Services

In FireWall-1 4.0 and later, the macro responsible for tracking UDP
connectoins is listed in $FWDIR/lib/base.def (FireWall-1 3.0 has a similiar
macro):

#define UDP_RECORD(con,key,type,flags) \
(record in connections)

For example, if you wanted to reduce the DNS timeout to 10 seconds, you
would modify the macro so it reads:

#define UDP_RECORD(con,key,type,flags) \
((dport=53, record in connections) or record in connections)

Additional Changes for NAT

If you are also doing NAT and you are increasing a timeout for a service
past 1 hour, you also need to perform the following additional modification
using the zap utility via Resolution 1261.

The examples below modifies NAT timeout to 14000 seconds.

zap -s _fwx_tcp_expiration $FWDIR/modules/fwmod.o 14000 (For FW-1 3.x)
zap -s _fwx_udp_expiration $FWDIR/boot/modules/fwmod.o 14000 (For FW-1 4.x)

For UDP connections, the command is similiar:

zap -s _fwx_udp_expiration $FWDIR/modules/fwmod.o 14000 (For FW-1 3.x)
zap -s _fwx_udp_expiration $FWDIR/boot/modules/fwmod.o 14000 (For FW-1 4.x)

In 4.0 SP3 and above (including all 4.1 builds), there is no longer a need
to set the _fwx_*_expiration kernel variables. The values are initialized as
appropriate for TCP connections (for ones where init.def has changed), else
the default TCP connection timeout value is used. For UDP connections, the
UDP reply timeout value is used. If you have issues with UDP connections and
NAT with long timeout, change the UDP reply timeout to a high value and
modify the macro as shown above.

Verifying Changes

If you look at the output of 'fw tab -u table connections', the last column
shows you the connection timeout value.

-----Original Message-----
From: Cihan Subasi (Garanti Teknoloji) [mailto:[email protected]]
Sent: Tuesday, October 03, 2000 2:05 AM
To: 'Jeff Hochberg'; [email protected]
Subject: RE: [FW1] TCP Timeout question


How you do that?

-----Original Message-----
From: Jeff Hochberg [mailto:[email protected]]
Sent: Tuesday, October 03, 2000 12:37 AM
To: [email protected]
Cc: [email protected]
Subject: RE: [FW1] TCP Timeout question



There is a way to change the TCP timeout on a per-service basis (i.e. telnet
or ftp), but not for specific rules.

-Jeff

-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of
[email protected]
Sent: Monday, October 02, 2000 5:45 PM
To: [email protected]
Subject: [FW1] TCP Timeout question



Howdy all - I know about the default TCP timeout, but is it possible to
change
the TCP timeout for specific rules or objects?

Specifically, I've got a telnet session that I don't want the firewall to
terminate every hour (it's getting dropped at the moment), but I only want
the
longer timeout set for a specific rule, not the entire rulebase.

Thanks,

John Baddiley
Senior Technologist
Bank of New Zealand



WARNING: The contents of this E-mail may contain information that is legally
        privileged and/or confidential to the named recipient. This
information
        is not to be used by any other person and/or organisation. The views
        expressed in this document do not necessarily reflect those of the
Bank
        of New Zealand.




============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
Prev by Date: RE: [FW1] How do I stop being smurfed?
Next by Date: [FW1] DES
Previous by thread: RE: [FW1] TCP Timeout question
Next by thread: [FW1] Exchange Services dropped by rule 0
Index(es):
- Date
- Thread