[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] TCP Timeout question
>From Nokia's Knowledge Base: TCP Services in FireWall-1 4.0 and later For simple TCP services, add the following line (including the comma) in $FWDIR/lib/init.def: ADD_TCP_TIMEOUT(port,timeout), Right before the line that says: ADD_TCP_TIMEOUT(0,0) Where port specifies the TCP port and timeout specifies the number of seconds. The (0,0) setting indicates that the table was already initialized, since each packet going through inspect will try to initialize the table. If you want to set a timeout past 7200 seconds (2 hours), then you must do the timeout as a multiple of a number less than 7200. For example, if you want to enable telnet (port 23) to have a timeout of 4 hours, you would add the following line: ADD_TCP_TIMEOUT(23,3600*4), If you want to set the FTP Control Connection timeout, add the following line on the management module in $FWDIR/lib/init.def: #define FTP_CONTROL_TIMEOUT timeout where timeout is the timeout value in seconds. FTP_CONTROL_TIMEOUT is defined in init.def to take on the value of TCP_TIMEOUT, if it is not already defined. Again, if you want this to be beyond 2 hours, apply the trick above. For other non-simple TCP services that FireWall-1 handles (e.g. RealAudio or SQLNet 2), you will need to search through $FWDIR/lib/*.def (and $FWDIR/lib30/*.def in FireWall-1 4.x) for code that relates to that service and change occurences of TCP_TIMEOUT to whatever value (in seconds) you want the service to have. If you are running NAT, see the NAT-specific notes below. TCP Services in FireWall-1 3.x In FireWall-1 3.0, the base.def, the following macro will need to be changed: #define TCP_ESTABLISHED_RECORD(con,key,type) \ ( \ \ ((type & _TCP_ESTABLISHED) = 0, not_first, \ set type (type | _TCP_ESTABLISHED), \ record in connections \ ) or 1 \ \ ) This macro establishes the TCP Timeout for simple TCP connections. For the connection, it records TCP_TIMEOUT as the timeout value for the connection in this case, it will be 1800 seconds as set by the GUI. If you want http to have a timeout of 100 seconds, change it so it reads: #define TCP_ESTABLISHED_RECORD(con,key,type) \ ( \ ((type & _TCP_ESTABLISHED) = 0, not_first, \ set type (type | _TCP_ESTABLISHED), \ ((dport = 80, record in connections) \ or record in connections) \ ) or 1 \ ) This means: When the destination port is 80 (i.e. HTTP connections), set the timeout to 100 seconds. For all other connections, set the timeout to TCP_TIMEOUT seconds If you want the timeout to be beyond two hours, do the timeout as a multiple (e.g. 3600*4 as shown above). For non-simple TCP services that FireWall-1 handles (e.g. RealAudio), you will need to search through $FWDIR/lib/*.def for code that relates to that service and change occurences of TCP_TIMEOUT to whatever value (in seconds) you want the service to have. If you are using NAT, see the NAT-specific changes below. UDP Services In FireWall-1 4.0 and later, the macro responsible for tracking UDP connectoins is listed in $FWDIR/lib/base.def (FireWall-1 3.0 has a similiar macro): #define UDP_RECORD(con,key,type,flags) \ (record in connections) For example, if you wanted to reduce the DNS timeout to 10 seconds, you would modify the macro so it reads: #define UDP_RECORD(con,key,type,flags) \ ((dport=53, record in connections) or record in connections) Additional Changes for NAT If you are also doing NAT and you are increasing a timeout for a service past 1 hour, you also need to perform the following additional modification using the zap utility via Resolution 1261. The examples below modifies NAT timeout to 14000 seconds. zap -s _fwx_tcp_expiration $FWDIR/modules/fwmod.o 14000 (For FW-1 3.x) zap -s _fwx_udp_expiration $FWDIR/boot/modules/fwmod.o 14000 (For FW-1 4.x) For UDP connections, the command is similiar: zap -s _fwx_udp_expiration $FWDIR/modules/fwmod.o 14000 (For FW-1 3.x) zap -s _fwx_udp_expiration $FWDIR/boot/modules/fwmod.o 14000 (For FW-1 4.x) In 4.0 SP3 and above (including all 4.1 builds), there is no longer a need to set the _fwx_*_expiration kernel variables. The values are initialized as appropriate for TCP connections (for ones where init.def has changed), else the default TCP connection timeout value is used. For UDP connections, the UDP reply timeout value is used. If you have issues with UDP connections and NAT with long timeout, change the UDP reply timeout to a high value and modify the macro as shown above. Verifying Changes If you look at the output of 'fw tab -u table connections', the last column shows you the connection timeout value. -----Original Message----- From: Cihan Subasi (Garanti Teknoloji) [mailto:[email protected]] Sent: Tuesday, October 03, 2000 2:05 AM To: 'Jeff Hochberg'; [email protected] Subject: RE: [FW1] TCP Timeout question How you do that? -----Original Message----- From: Jeff Hochberg [mailto:[email protected]] Sent: Tuesday, October 03, 2000 12:37 AM To: [email protected] Cc: [email protected] Subject: RE: [FW1] TCP Timeout question There is a way to change the TCP timeout on a per-service basis (i.e. telnet or ftp), but not for specific rules. -Jeff -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of [email protected] Sent: Monday, October 02, 2000 5:45 PM To: [email protected] Subject: [FW1] TCP Timeout question Howdy all - I know about the default TCP timeout, but is it possible to change the TCP timeout for specific rules or objects? Specifically, I've got a telnet session that I don't want the firewall to terminate every hour (it's getting dropped at the moment), but I only want the longer timeout set for a specific rule, not the entire rulebase. Thanks, John Baddiley Senior Technologist Bank of New Zealand WARNING: The contents of this E-mail may contain information that is legally privileged and/or confidential to the named recipient. This information is not to be used by any other person and/or organisation. The views expressed in this document do not necessarily reflect those of the Bank of New Zealand. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|