red hat firewall question

Steve Phillips steve at focb.co.nz
Wed Dec 5 00:38:38 UTC 2007 

Anne Moore wrote:
> Hi Marshall
> 
> Well I've already determined that this will fix the issues. The problem is
> indeed with our firewall and it cannot be changed due to our security
> policy. Thus, I created a script that continually pings every 30 seconds and
> that keeps the logons alive.

This is part of the problem with 'sekuritee people' that don't actually 
understand the protocols.

TCP Keepalives are supposed to work to allow servers to figure out that 
persistent connections that have not sent data are still there - the RFC 
states that this should not default to anything less than 2 hours (its 
possible, but not advised)

http://www.uic.rsu.ru/doc/inet/tcp_stevens/tcp_keep.htm for a good, easy 
to read writeup

http://www.faqs.org/rfcs/rfc1122.html is the host requirements RFC, 
section 4.2.3.6 deals with keep alives.

There are a number of reasons for this default (explained nicely in the 
first link) and most sekuritee people cause no end of headaches for 
systems/network people when they start fiddling with this value in the 
name of 'sekuritee !'

It is completely normal for a TCP session to be idle, and it is also 
completely normal for it to wake up hours later and send data, this is 
simply how stuff works in the IP world, and what it appears is happening 
is that your ssh sessions are (as would be expected) idle for a few 
minutes and due to some sekuritee 'professional' deciding that this 
could NEVER happen, your user sessions are being disconnected. The 
correct fix is to lart the sekuritee moron and change the default keep 
alive value. If they want to enforce logoff on idle sessions then 
install or enable this on the servers. Changing these values on a 
firewall can have some VERY undesirable and difficult to fault-find 
consequences. (I had one instance where someone had set the value to 30 
mins, oracle was timing out connections and things would sporadically 
work, not work, then semi work - took the best part of a day to fault find.)

The primary purpose of keep alives is to enable the host to not exhaust 
its resources by having 65500 dead yet open telnet/ssh/tcp sessions and 
being able to close these after a defined period., the firewall not 
working in sync with the host just compounds this problem, and depending 
on the number of users/types of processes, can actually cause the 
problem that keep alives are supposed to prevent.


-- 
Steve
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

More information about the redhat-list mailing list