[FW-1] AW: [FW-1] TCP session timeout and long FTP transfers

Fri, 19 Oct 2001 01:05:41 -0700 

Hello,

In fact FW-1 does not behave like you'd expect ;-)
We had a similar problem (FW-1 V4.1 SP4 on Solaris) and we solved
it like this:

go to the system where your management is running on (usually the
same as the filter, maybe an own management console in larger
installations) and edit the file "/opt/CPfw1-41/lib/init.def".
There at the end you will find the definitions for timeout
characteristics for specific ports.

Normally it reads like this:

        #define ADD_TCP_TIMEOUT(port,to) (record <port;to> in
tcp_timeouts)

        (
                <0> in tcp_timeouts
        ) or (
              ADD_TCP_TIMEOUT(21,FTP_CONTROL_TIMEOUT),
              ADD_TCP_TIMEOUT(0,0)
        );

And you should change it to read as follows

        #define ADD_TCP_TIMEOUT(port,to) (record <port;to> in
tcp_timeouts)

        (
                <0> in tcp_timeouts
        ) or (
        //      ADD_TCP_TIMEOUT(21,FTP_CONTROL_TIMEOUT),
                ADD_TCP_TIMEOUT(21,3600*n),
        // where _n_ is your desired amount of hours
                ADD_TCP_TIMEOUT(0,0)
        );

If you had to change the other FTP port as well you could add

        ADD_TCP_TIMEOUT(20,3600*8)

Then do a "fwstop; fwstart" and reinstall your rulebase.
This should fix your problem.

This problem is also mentioned at Phoneboy's Website
(http://www.phoneboy.com/faq/0203.html). Good luck!

Mit freundlichem Gruss / with kind regards,
Bernd Fritzsche - Network Engineering / FIT-EN
---
Heidelberger Druckmaschinen AG  - Gutenbergstrasse - D-69168 Wiesloch
POTS/Fax +49 (0)6222 82 2845/3440 - [EMAIL PROTECTED]


> -----Ursprungliche Nachricht-----
> Von: Aleksey Mikhaylov [mailto:[EMAIL PROTECTED]]
> Gesendet: Donnerstag, 18. Oktober 2001 23:23
> An: [EMAIL PROTECTED]
> Betreff: [FW-1] TCP session timeout and long FTP transfers
>
>
> Hello,
>
> I'm seeing the following behavior on my firewall: when during
> FTP session
> the file transfer takes longer than TCP session timeout, the
> FTP control
> connection gets removed from the state table, even though
> there's activity
> on the ftp-data channel. Is this supposed to be like that ?
> I'd assume that even though there's no activity on the ftp control TCP
> connection for longer than session timeout, the connection
> should be kept in
> the table, because FTP data trasfer is part of the same session.
>
> Thank you,
>
> Aleksey
>
> Aleksey
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Reply via email to