[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] TCP Session Timeout
I don't know way to disable this timeout for a particular rule or
service. However, you may open a new session when
needed.
First, I describe again your needs to be certain that I had well
understood :
One of your application open a session on firewall when it
etablishs its TCP session to another server. Your application
doesn't talk during a time bigger than 3600 seconds and then talk
again, but session had been terminated on firwall.
If the server (that initiated the TCP connection) send first an
IP packet after the timeout, then session on firewall
can be automaticly opened if you allow "non SYN rulebase match"
(as describe in "CheckPoint VPN-1/FireWall-1 Version 4.1
SP2 Release Notes", page 9). To do it, uncomment the line :
/*#define ALLOW_NON_SYN_RULEBASE_MATCH */
in file $FWDIR/lib/fwui_head.def.
Compile again rules and download to your firewall.
If the contacted server (that accepted the TCP connection) send
first an IP packet after the timeout, then session on
firewall cannot be opened a new session. So, you can allow "non
SYN rulebase match" as described above and add a new
rule (number 12 for example) just after rule that allow your TCP
connection (so number 11). In this rule (number 12),
you define a new TCP service with source port equal to
destination port in TCP service of rule 11. Define, in that new
service a destination port bigger than 1023 (dynamics ports) with
string ">1023". Restrict rule 12 with source IP equal
to your destination IP of the rule 11 and destination IP equal to
source IP of the rule 11. When IP packet arrive on
firewall, rule 12 matchs and a session is opened. When response
come back from this other server, then rule 11 matchs
and a new session is opened, equal to the session that had been
terminated because of inactivity timeout. Session opened
by rule 12 will die silently after 3600 seconds.
If you use translation with manual rules, don't forget to convert
(in rule 12) object that represents your private IP to
object that represents your official IP and vise versa. You
cannot do it if you are using Hide translation, only static
translation is compatible.
Imagine a SQLnet connection on port 1523 from server HostA to
server HostB. HostA etablishs a SQLnet session to HostB.
No IP packet is sent or received during more than 3600 seconds.
Session on firewall had been terminated. Rules must be :
Number Source Destination Service Action
--------------------------------------------------------------
11 HostA HostB sqlnet accept
TCP
dstport=1523
srcportrange=any
--------------------------------------------------------------
12 HostB HostA sqlnet-reverse accept
TCP
dstport=>1023
srcportrange=
from 1523 to 1523
This solution allow any TCP IP packet to open a session on
firewall if a rule match and allow it. Version 4.1 SP2
enforce security by only allow "opening TCP connection" packet to
open a new session on firewall. You can decide to
permit it on your network and resolve your problem.
I hope I was clear enough.
Gaétan
"Murphy, Paul" wrote:
>
> Hi group.
>
> So suppose I want a TCP session to be "always on"? TCP Sessions are timed
> out after the policy property settings; currently 3600 seconds for me.
>
> I have an application that is so well written that it requires a TCP session
> to be open indefinitely. Is it possible to remove the time out altogether,
> or even better, is there a way to remove the timeout for a particular rule
> or service?
>
> Cheers,
>
> Paul.
>
> ---------------------------------------------------------------------------------
> This e-mail is intended only for the above addressee. It may contain
> privileged information. If you are not the addressee you must not copy,
> distribute, disclose or use any of the information in it. If you have
> received it in error please delete it and immediately notify the
> sender.
>
> evolvebank.com is a division of Lloyds TSB Bank plc.
> Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS. Registered in
> England, number 2065. Telephone No: 020 7626 1500
> Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street,
> Edinburgh EH2 4LH. Registered in Scotland, number 95237. Telephone
> No:>
> Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the
> Personal Investment Authority and represent only the Scottish Widows
> and Lloyds TSB Marketing Group for life assurance, pensions and
> investment business.
>
> Members of the UK Banking Ombudsman Scheme and signatories to the UK
> Banking Code.
> ----------------------------------------------------------------------------------
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================begin:vcard
n:Blenet;Gaetan
tel;fax:+33 2 4762 6227
tel;work:+33 2 4762 6262
x-mozilla-html:FALSE
url:http://www.ort.fr
org:ORT - Une societe du Groupe REUTERS;Moyens Techniques et Production
adr:;;Chateau de Sens;Rochecorbon;;37210;FRance
version:2.1
email;internet:[email protected]
title:Responsable Réseaux Télécom
x-mozilla-cpt:;15896
fn:Gaetan Blenet
end:vcard
