Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] TCP Timeout questions.

To: <[email protected]>
Subject: Re: [FW1] TCP Timeout questions.
From: "Edward Rolison" <[email protected]>
Date: Tue, 4 Jan 2000 21:59:09 -0000
References: <[email protected]>
Sender: [email protected]


> In the properties for the firewall you can set the TCP/IP timeout.  Is
there
> a way to make there be no timeout?  For things like ssh I'd prefer to be
> able to just keep the connection up indefinitely.


Well if ya think about it, this would be a VERY bad idea.
Example Your box A opens an SSH connection to box B outside your firewall.
Your box A crashes, requiring a reset.
The firewall NEVER sees the connection close, and thus never removes the
entry from the state table.
Now sooner or later, this is going to make your machine run out of memory.

Bit of a bugger really. It gets even worse if you allow inbound ssh, because
it gives someone a trivial way to hit you with a DoS attack.

You can set the timeout to 7200 minutes in your policy properties, and if
you are prepared to hack some defs files, you can increase this further, but
not infinitely...



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] TCP Timeout questions.
  - From: Greg Blake <[email protected]>

Prev by Date: [FW1] Remote Management Questions, When fw Putkeys go bad ........
Next by Date: [FW1] Nokia's role in supporting Checkpoint
Previous by thread: [FW1] TCP Timeout questions.
Next by thread: [FW1] CVP/AV, external POP3 accounts, and poptarts
Index(es):
- Date
- Thread