Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AW: [FW1] WWW Timeout

To: [email protected]
Subject: Re: AW: [FW1] WWW Timeout
From: Ed Rolison <[email protected]>
Date: Fri, 9 Mar 2001 10:40:12 +0000 (GMT)
Reply-to: Ed Rolison <[email protected]>
Sender: [email protected]

> I'm not quite sure wether I understand the problem- WWW is stateless,
>unless I am mistaken. There is no WWW connection to be dropped if the user
>is idle. Other protocols are different, but that is totally unrelated to
>FW-1 being stateful. Stateful primarily means that you don't need back-rules
>for a connection (as you need with non-stateful packet filters) as the
>connection is kept in a state table. Being able to drop a connection after
>some idle time is a sideeffect. And not always wanted, I might add, see the
>post of Ben Karlo.
> Logging mail is possible as Ed describes. But I'd personally prefere to log
>mail volume somewhere else than on the firewall, as my logs tend to grow
>quite quickly.

Depends what you mean by stateless. WWW uses TCP/IP, and thus is 'connection 
orientated' as opposed to UDP which is not. This means that you open a 
connection, and data which is 'related' to that connection (IE like the data 
from the web page) is sent back along the same connection.

It could be considered stateless in that HTTP requests can (and probably should) 
be considered independant of one another.

Just because you have a HTTP get coming from the same site as a previous one, 
that doesn't mean it's the same person on the end (proxy server? NATed network)

Basically, each time someone wants a web page, their machine opens a new 
connection. So unless you have some really really big web pages, a timeout is 
unlikely. For example, an idle telnet is an open connection which hasn't 
recieved any data for ages. Compare this to a web page get (telnet to a website 
on port 80, type 'GET / HTTP/1.0') and you'll get a page sent, and the 
connection closed. 

If your intention is to stop 'idle' www users, because of the nature of web 
pages, it is impossible to determine. You can do it server side with a cookie or 
somesuch though.

My mail logging is done on a mail server, where it should be. Firewall was an 
example, but not a really practical one.

--
Ed Rolison



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: AW: [FW1] WWW Timeout
Next by Date: RE: [FW1] Real Player
Previous by thread: AW: [FW1] WWW Timeout
Next by thread: AW: [FW1] Too Many Internal Hosts
Index(es):
- Date
- Thread