[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] unknown established packets

To: [email protected]
Subject: Re: [FW-1] unknown established packets
From: Shawn Behrens <[email protected]>
Date: Fri, 18 Oct 2002 10:47:04 -0400
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
What timeout values are we talking about?

There's tcpstarttimeout at 60 seconds. It is not uncommon for this to be too
low, we usually set it at 180 or 240.

There's the general tcp timeout at 3600 seconds (one hour), that is fine for
most protocols. There are some braindead protocols that do not send
keepalives and expect a connection to be alive after hours of idletime, you
can raise the timeout for those ports and those ports only, and b*tch at the
manufacturer of the application that behaves that way in the meantime.

Also, some connections will not be closed properly, and thus one end will
think the connection still alive and try to communicate again after, say,
more than an hour, also leading to a rule0 drop. That is a source of rule0
drops, it is normal, and not a reason to worry. I don't think you can ever
get completely rid of all rule0 drops. :)

Shawn

> -----Original Message-----
> From: Baldin, Vince [mailto:[email protected]]
> Sent: Friday, October 18, 2002 10:07 AM
> To: [email protected]
> Subject: Re: [FW-1] unknown established packets
>
>
> Is it common to have to change the timeout value from the
> default?  I see it happen pretty frequently, and it's not a
> routing problem.  Do you know of a best value?
>
>
>  -----Original Message-----
> From:   Sean Swart [mailto:[email protected]]
> Sent:   Friday, October 18, 2002 8:39 AM
> To:     [email protected]
> Subject:             Re: [FW-1] unknown established packets
>
> This is erasing the traces of a problem, NOT solving it. The
> errors are
> there for a reason?
>
> Solution
>
> fix that routing.
>
> This is indicative of poor or bad routing. Unkown established packets
> are because of two primary reasons (others exist).
>
> 1    timeout values are low/the state table for the firewall is
> depleting quickly (not the most common issue)
>
> 2    packets leave one interface and return via another (the
> most common
> cause and is routing related)
>
> I suggest you look carefully at those logs and you will find a packet
> leaves one interface and return via another.
>
> Also look at things like the Natting. Are you Hiding your
> network behind
> an interface with a public IP or do you have a public IP on your
> internal interface on wich you are Natting? If this is the
> case look at
> your install on section for rules, some would indicate check packet in
> each direction other only INBOUND or OUTBOUND etc.
>
>
> Sean
>
> Girish Dixit wrote:
>
> > hi,
> >
> > this can b resolve by editing the file $FWDIR/lib/fwui_head.def
> >
> > there is a line in this file:
> >
> > # define_allow_non_sync_rulebase_match #
> >
> > you will have to uncomment this line to care of this issue.
> >
> > Regards,
> > -Girish
> >
> > -----Original Message-----
> > From: Jochen Vogel [mailto:[email protected]]
> > Sent: Thursday, October 17, 2002 12:14 PM
> > To: [email protected]
> > Subject: [FW-1] unknown established packets
> >
> > hi,
> >
> > i have an 4.1 and problems with broken pipes in sql connections.
> > if i watch the logs i can see a lot of unknown established packets
> > for sql and http connections.
> > is the firewall or the session the problem?
> > what can i do?
> >
> > thx for help
> > Jochen
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>


Please note that:

1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information.
2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices.
3. The contents of this email are those of the individual and do not necessarily represent the views of the company.
4. The company does not conclude contracts by email and all negotiations are subject to contract.
5. The company accepts no responsibility once an e-mail and any attachments is sent.

http://www.activis.com

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
Follow-Ups:
- [FW-1] HTTP(S) authentication to firewall
  - From: David Gillett <[email protected]>
Prev by Date: [FW-1] Any info on _props.db
Next by Date: [FW-1] ftp and zero bytes file.
Prev by thread: Re: [FW-1] unknown established packets
Next by thread: [FW-1] HTTP(S) authentication to firewall
Index(es):
- Date
- Thread