NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Question about open connections when closing firewall



It depends on weather or not you clear the state table when you push a new
rule.  There is a setting in $FWDIR/lib/table.def where you can not have the
state table flushed upon rule reload. Below is what it would look like if
you did not want to flush the state table, but other than that any rule push
will clear all connection and if a current connection does not meet the new
rules then yes it would be droped.


old_connections = dynamic sync expires TCP_TIMEOUT keep kbuf 2;
proxied_conns = dynamic keep;
ftp_restrictions = dynamic;
connections = dynamic refresh keep sync expires TCP_START_TIMEOUT
                                expcall KFUNC_CONN_EXPIRE kbuf 1


The "keep" was added to the connections line.....

-----Original Message-----
From: Johan Sunnerstig [mailto:]
Sent: Monday, October 08, 2001 9:24 AM
To: [email protected]
Subject: [FW-1] Question about open connections when closing firewall

Hi.
Im wondering, how does FW-1 handle open connections to a box, when you close
any inbound traffic to that box, are any open connections immediately cut
off, or are they allowed to finnish their traffic?

Example, say we have a box 1.2.3.4, listening for traffic on port 1, and
connections remain open for an avarge of 60 seconds.

1) connection #1 is opened
2) firewall gets closed on port 1 to 1.2.3.4
3) any new inbound connections are obviously refused
4) the answer for connection #1 comes back

In this case, what would happen to #1?

Regards
Johan


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.