I've been reading RFC 793 for the last two hours. I can't find any
restriction on the client's re-use of the source port. There is
reference to the server's TIME-WAIT state, which should last 2*MSL, or
four minutes, but not that the client should refrain from re-opening the
connection within that time. But this discussion in the RFC is oriented
more toward avoiding re-use of sequence numbers, which doesn't seem to
be a problem with the application here.
But in RFC 1122, at 4.2.2.13 ("Closing a Connection...") I find:
When a connection is closed actively, it MUST linger in
TIME-WAIT state for a time 2xMSL (Maximum Segment Lifetime).
However, it MAY accept a new SYN from the remote TCP to
reopen the connection directly from TIME-WAIT state, if it:
(1) assigns its initial sequence number for the new
connection to be larger than the largest sequence
number it used on the previous connection incarnation
Doesn't this imply that this behavior is okay? Weird, but okay. Bear in
mind, I'm no expert here, but this is just what the application does.
Why does Checkpoint hold the fully closed connection in its table as
"established"?
What does Checkpoint expect from the SYN packet re-written as ACK?
Thoughts?
Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[EMAIL PROTECTED] On Behalf
> Of David DeSimone
> Sent: Monday, August 18, 2008 5:00 PM
> To: [email protected]
> Subject: Re: [FW-1] Firewall mods TCP flags from SYN to ACK
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dan Lynch <[EMAIL PROTECTED]> wrote:
> >
> > After the first file is transferred, the data connection is
> torn down,
> > and a new data connection is attempted using the same source port.
>
> I thought that this was not legal according to TCP RFC's. A TCP
> implementation is supposed to allow a period of two minutes after a
> connection is closed before it is valid to open another
> connection using
> the exact same source and destination ports.
>
> This is the assumption under which "Smart Connection Reuse" is
> operating.
>
> - --
> David DeSimone == Network Admin == [EMAIL PROTECTED]
> "I don't like spinach, and I'm glad I don't, because if I
> liked it I'd eat it, and I just hate it." -- Clarence Darrow
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFIqg0RFSrKRjX5eCoRAn07AJ9URzqvQH7WUWe8OT2Nq3xwaWJxcgCffWBj
> /jpes/peRSGbYnCEotFbFnk=
> =WH5x
> -----END PGP SIGNATURE-----
>
>
> This email message is intended for the use of the person to
> whom it has been sent, and may contain information that is
> confidential or legally protected. If you are not the
> intended recipient or have received this message in error,
> you are not authorized to copy, distribute, or otherwise use
> this message or its attachments. Please notify the sender
> immediately by return e-mail and permanently delete this
> message and any attachments. Verio, Inc. makes no warranty
> that this email is error or virus free. Thank you.
>
> Scanned by Check Point Total Security Gateway.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
