[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] FTP control session timeout
Well, that's the thing. The reason your session is getting flushed is because it has been inactive for a long period of time. Unfortunately it would require infinite memory to keep track of all open states (a state that hasn't gone through FIN/FIN-ACK to close) so the firewall needs to flush states that are getting stale so that memory doesn't run out. So what is happening is your state is being flushed as it has been idle for so long. What the below command does is watch for sessions that look like they are established (ie, SYN bit not set) and then compare that packet to the rulebase. If it matches a rule in the rulebase, it allows the packet through, and re-enters it into the state table. Unfortunately, you lost all the state information when you flushed it the first time, so the sequence number may be wrong, but the firewall won't know. So it is a bit of a security risk but the firewall can emulate having an infinite number of sessions open. > What happens to the state table when you do this? > >I haven't visited this list in a while so I apologize if this is old news. > >We have a problem with FTP control sessions timing out of the state table > >before the data session has ended. > > In fwui_head.def, add/uncomment the line: > > #define ALLOW_NON_SYN_RULEBASE_MATCH > > That will allow sessions to stay open "indefinitely". ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|