| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW-1] AW: [FW-1] TCP session timeout and long FTP transfers
- To: [email protected]
- Subject: [FW-1] AW: [FW-1] TCP session timeout and long FTP transfers
- From: "Fritzsche, Bernd 2845 FIT-EN" <[email protected]>
- Date: Fri, 19 Oct 2001 09:41:49 +0200
- Comments: To: [email protected]
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcFYIPQoVSGjJsP6EdWrzAADR2sAgwATqllw
- Thread-topic: [FW-1] TCP session timeout and long FTP transfers
Hello,
In fact FW-1 does not behave like you'd expect ;-)
We had a similar problem (FW-1 V4.1 SP4 on Solaris) and we solved
it like this:
go to the system where your management is running on (usually the
same as the filter, maybe an own management console in larger
installations) and edit the file "/opt/CPfw1-41/lib/init.def".
There at the end you will find the definitions for timeout
characteristics for specific ports.
Normally it reads like this:
#define ADD_TCP_TIMEOUT(port,to) (record <port;to> in
tcp_timeouts)
(
<0> in tcp_timeouts
) or (
ADD_TCP_TIMEOUT(21,FTP_CONTROL_TIMEOUT),
ADD_TCP_TIMEOUT(0,0)
);
And you should change it to read as follows
#define ADD_TCP_TIMEOUT(port,to) (record <port;to> in
tcp_timeouts)
(
<0> in tcp_timeouts
) or (
// ADD_TCP_TIMEOUT(21,FTP_CONTROL_TIMEOUT),
ADD_TCP_TIMEOUT(21,3600*n),
// where _n_ is your desired amount of hours
ADD_TCP_TIMEOUT(0,0)
);
If you had to change the other FTP port as well you could add
ADD_TCP_TIMEOUT(20,3600*8)
Then do a "fwstop; fwstart" and reinstall your rulebase.
This should fix your problem.
This problem is also mentioned at Phoneboy's Website
(http://www.phoneboy.com/faq/0203.html). Good luck!
Mit freundlichem Gruss / with kind regards,
Bernd Fritzsche - Network Engineering / FIT-EN
---
Heidelberger Druckmaschinen AG - Gutenbergstrasse - D-69168 Wiesloch
POTS/Fax +49 (0)6222 82 2845/3440 - [email protected]
> -----Ursprungliche Nachricht-----
> Von: Aleksey Mikhaylov [mailto:[email protected]]
> Gesendet: Donnerstag, 18. Oktober 2001 23:23
> An: [email protected]
> Betreff: [FW-1] TCP session timeout and long FTP transfers
>
>
> Hello,
>
> I'm seeing the following behavior on my firewall: when during
> FTP session
> the file transfer takes longer than TCP session timeout, the
> FTP control
> connection gets removed from the state table, even though
> there's activity
> on the ftp-data channel. Is this supposed to be like that ?
> I'd assume that even though there's no activity on the ftp control TCP
> connection for longer than session timeout, the connection
> should be kept in
> the table, because FTP data trasfer is part of the same session.
>
> Thank you,
>
> Aleksey
>
> Aleksey
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
|
|
