|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] State Table Problems
> Firewall-1 4.1SP5a (same problem with SP4), IPSO 3.4.1 SNMP. > I have a problem with a connection through this firewall, and the > behaviour I am seeing doesn't quite match Lance's description of how > connections are built in Firewall-1. > > The initial SYN packet causes an entry in the state table with a 60 second > timeout counting down. Lance's paper states that if a response to the SYN > goes through the firewall, the connection is promoted to a full 3600 > second (TCP Timeout setting) entry in the state table. > > I have been looking at this recently, and I am seeing something > different. I don't see the connection fully established until a data > packet goes through. Ie, the three-way handshake completes, and still the > connection is on a 60 second timeout. Once a data packet goes through, > the timeout is promoted to 3600. This is exactly how CheckPoint works. CheckPoint uses what amounts to a four way handshake instead of just a three way. This causes problems with some applications as you may have seen. There was a very recent thread on the fw1-wizards mailing list recently about the same issue. You can search the list archives on www.phoneboy.com for this discussion. -Don ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
