Re: [FW1] TCP Session Timeout

[Lance Spitzner <lance@FW1-NOSPAMspitzner.net>]

On Wed, 18 Oct 2000, Gaetan J. BLENET wrote:

> First, I describe again your needs to be certain that I had well
> understood :
> One of your application open a session on firewall when it
> etablishs its TCP session to another server. Your application
> doesn't talk during a time bigger than 3600 seconds and then talk
> again, but session had been terminated on firwall.

I have a paper that details the functionality of the state table,
this may help answer your questions.  It covers the TCP Timeout and
SYN matching issues.

http://www.enteract.com/~lspitz/fwtable.html

hope this helps :)

lance

> If the server (that initiated the TCP connection) send first an
> IP packet after the timeout, then session on firewall
> can be automaticly opened if you allow "non SYN rulebase match"
> (as describe in "CheckPoint VPN-1/FireWall-1 Version 4.1
> SP2 Release Notes", page 9). To do it, uncomment the line :
> /*#define ALLOW_NON_SYN_RULEBASE_MATCH */
> in file $FWDIR/lib/fwui_head.def.
> Compile again rules and download to your firewall.
> 
> If the contacted server (that accepted the TCP connection) send
> first an IP packet after the timeout, then session on
> firewall cannot be opened a new session. So, you can allow "non
> SYN rulebase match" as described above and add a new
> rule (number 12 for example) just after rule that allow your TCP
> connection (so number 11). In this rule (number 12),
> you define a new TCP service with source port equal to
> destination port in TCP service of rule 11. Define, in that new
> service a destination port bigger than 1023 (dynamics ports) with
> string ">1023". Restrict rule 12 with source IP equal
> to your destination IP of the rule 11 and destination IP equal to
> source IP of the rule 11. When IP packet arrive on
> firewall, rule 12 matchs and a session is opened. When response
> come back from this other server, then rule 11 matchs
> and a new session is opened, equal to the session that had been
> terminated because of inactivity timeout. Session opened
> by rule 12 will die silently after 3600 seconds.
> If you use translation with manual rules, don't forget to convert
> (in rule 12) object that represents your private IP to
> object that represents your official IP and vise versa. You
> cannot do it if you are using Hide translation, only static
> translation is compatible.
> 
> Imagine a SQLnet connection on port 1523 from server HostA to
> server HostB. HostA etablishs a SQLnet session to HostB.
> No IP packet is sent or received during more than 3600 seconds.
> Session on firewall had been terminated. Rules must be :
> 
> Number  Source  Destination     Service                 Action
> --------------------------------------------------------------
> 11      HostA   HostB           sqlnet                  accept
>                                 TCP
>                                 dstport=1523
>                                 srcportrange=any
> --------------------------------------------------------------
> 12      HostB   HostA           sqlnet-reverse          accept
>                                 TCP
>                                 dstport=>1023
>                                 srcportrange=
>                                 from 1523 to 1523
> 
> This solution allow any TCP IP packet to open a session on
> firewall if a rule match and allow it. Version 4.1 SP2
> enforce security by only allow "opening TCP connection" packet to
> open a new session on firewall. You can decide to
> permit it on your network and resolve your problem.
> 
> I hope I was clear enough.
> 
> Ga�tan
> 
> "Murphy, Paul" wrote:
> > 
> > Hi group.
> > 
> > So suppose I want a TCP session to be "always on"?   TCP Sessions are timed
> > out after the policy property settings; currently 3600 seconds for me.
> > 
> > I have an application that is so well written that it requires a TCP session
> > to be open indefinitely.  Is it possible to remove the time out altogether,
> > or even better, is there a way to remove the timeout for a particular rule
> > or service?
> > 
> > Cheers,
> > 
> > Paul.
> > 
> > ---------------------------------------------------------------------------------
> > This e-mail is intended only for the above addressee. It may contain
> > privileged information. If you are not the addressee you must not copy,
> > distribute, disclose or use any of the information in it. If you have
> > received it in error please delete it and immediately notify the
> > sender.
> > 
> > evolvebank.com is a division of Lloyds TSB Bank plc.
> > Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS.  Registered in
> > England, number 2065.  Telephone No: 020 7626 1500
> > Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street,
> > Edinburgh EH2 4LH. Registered in Scotland, number 95237.  Telephone
> > No:> > 
> > Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the
> > Personal Investment Authority and represent only the Scottish Widows
> > and Lloyds TSB Marketing Group for life assurance, pensions and
> > investment business.
> > 
> > Members of the UK Banking Ombudsman Scheme and signatories to the UK
> > Banking Code.
> > ----------------------------------------------------------------------------------
> > 
> > ================================================================================
> >      To unsubscribe from this mailing list, please see the instructions at
> >                http://www.checkpoint.com/services/mailing.html
> > ================================================================================

-- 
Lance Spitzner
http://www.enteract.com/~lspitz



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================