[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] TCP Session Timeout
On Wed, 18 Oct 2000, Gaetan J. BLENET wrote: > First, I describe again your needs to be certain that I had well > understood : > One of your application open a session on firewall when it > etablishs its TCP session to another server. Your application > doesn't talk during a time bigger than 3600 seconds and then talk > again, but session had been terminated on firwall. I have a paper that details the functionality of the state table, this may help answer your questions. It covers the TCP Timeout and SYN matching issues. http://www.enteract.com/~lspitz/fwtable.html hope this helps :) lance > If the server (that initiated the TCP connection) send first an > IP packet after the timeout, then session on firewall > can be automaticly opened if you allow "non SYN rulebase match" > (as describe in "CheckPoint VPN-1/FireWall-1 Version 4.1 > SP2 Release Notes", page 9). To do it, uncomment the line : > /*#define ALLOW_NON_SYN_RULEBASE_MATCH */ > in file $FWDIR/lib/fwui_head.def. > Compile again rules and download to your firewall. > > If the contacted server (that accepted the TCP connection) send > first an IP packet after the timeout, then session on > firewall cannot be opened a new session. So, you can allow "non > SYN rulebase match" as described above and add a new > rule (number 12 for example) just after rule that allow your TCP > connection (so number 11). In this rule (number 12), > you define a new TCP service with source port equal to > destination port in TCP service of rule 11. Define, in that new > service a destination port bigger than 1023 (dynamics ports) with > string ">1023". Restrict rule 12 with source IP equal > to your destination IP of the rule 11 and destination IP equal to > source IP of the rule 11. When IP packet arrive on > firewall, rule 12 matchs and a session is opened. When response > come back from this other server, then rule 11 matchs > and a new session is opened, equal to the session that had been > terminated because of inactivity timeout. Session opened > by rule 12 will die silently after 3600 seconds. > If you use translation with manual rules, don't forget to convert > (in rule 12) object that represents your private IP to > object that represents your official IP and vise versa. You > cannot do it if you are using Hide translation, only static > translation is compatible. > > Imagine a SQLnet connection on port 1523 from server HostA to > server HostB. HostA etablishs a SQLnet session to HostB. > No IP packet is sent or received during more than 3600 seconds. > Session on firewall had been terminated. Rules must be : > > Number Source Destination Service Action > -------------------------------------------------------------- > 11 HostA HostB sqlnet accept > TCP > dstport=1523 > srcportrange=any > -------------------------------------------------------------- > 12 HostB HostA sqlnet-reverse accept > TCP > dstport=>1023 > srcportrange= > from 1523 to 1523 > > This solution allow any TCP IP packet to open a session on > firewall if a rule match and allow it. Version 4.1 SP2 > enforce security by only allow "opening TCP connection" packet to > open a new session on firewall. You can decide to > permit it on your network and resolve your problem. > > I hope I was clear enough. > > Ga�tan > > "Murphy, Paul" wrote: > > > > Hi group. > > > > So suppose I want a TCP session to be "always on"? TCP Sessions are timed > > out after the policy property settings; currently 3600 seconds for me. > > > > I have an application that is so well written that it requires a TCP session > > to be open indefinitely. Is it possible to remove the time out altogether, > > or even better, is there a way to remove the timeout for a particular rule > > or service? > > > > Cheers, > > > > Paul. > > > > --------------------------------------------------------------------------------- > > This e-mail is intended only for the above addressee. It may contain > > privileged information. If you are not the addressee you must not copy, > > distribute, disclose or use any of the information in it. If you have > > received it in error please delete it and immediately notify the > > sender. > > > > evolvebank.com is a division of Lloyds TSB Bank plc. > > Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS. Registered in > > England, number 2065. Telephone No: 020 7626 1500 > > Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street, > > Edinburgh EH2 4LH. Registered in Scotland, number 95237. Telephone > > No:> > > > Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the > > Personal Investment Authority and represent only the Scottish Widows > > and Lloyds TSB Marketing Group for life assurance, pensions and > > investment business. > > > > Members of the UK Banking Ombudsman Scheme and signatories to the UK > > Banking Code. > > ---------------------------------------------------------------------------------- > > > > ================================================================================ > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================================================ -- Lance Spitzner http://www.enteract.com/~lspitz ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|