in my opinion, firewalls should not time-out on TCP connections, or more
exactly
the timeout value should be large enough.
proxy based firewalls have no reason to have a smal timeout. the default on
gauntlet proxies is 7200 seconds,
which is large enough.
stateful packet filters can rely on the TCP state engine, instead of simply
using a timeout to
close connections. otherwise, I can't see their statefulneess...
the situation is different for UDP, when they can hardly know when a session
is finished.
a firewall admin may choose to reduce the timeout but I can't see any
reasonable justification for
reducing it to a small value.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> [EMAIL PROTECTED]
> Sent: Tuesday, March 28, 2000 10:12 PM
> To: Edward Walker
> Cc: [EMAIL PROTECTED]
> Subject: Re: TCP timeouts
>
>
>
> Ed,
>
> Most firewalls do time-out on TCP connections. It really depends on the
> firewall as to where the setting can be located. Some have one placed on
> all TCP connections, I think Checkpoint does this. And others
> can be based
> on the protocol.
>
> Checkpoint allows you to do this through their GUI and it is a session
> length time-out.
> Raptor's main configuration file will let you do this for each of the
> proxies.
> The PIX has a NAT timeout in addition to one on TCP/UDP set in the
> configuration.
> I think TIS Gauntlet has one as well.
>
> I would suggest contacting the firewall administrator to resolve this
> issue.
>
> -Kathleen
>
> _______________________
>
> Kathleen M. Moriarty
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
