red hat firewall question
McDougall, Marshall (FSH)
Marshall.McDougall at gov.mb.ca
Wed Dec 5 14:28:30 UTC 2007
We control the client side as well as the server side so for the few
that are impacted by the quick timeouts it's manageable for us.
Regards, Marshall
>-----Original Message-----
>From: redhat-list-bounces at redhat.com
>[mailto:redhat-list-bounces at redhat.com] On Behalf Of Anne Moore
>Sent: Tuesday, December 04, 2007 4:37 PM
>To: 'General Red Hat Linux discussion list'
>Subject: RE: red hat firewall question
>
>Well yes, I could ask all of our clients to do that with each of their
>programs, or I could just do it once time on the Red Hat box
>and it will
>take care of everything. As you can see it'll be much easier
>to do it on
>just the one Red Hat box.
>
>My problem is that I cannot find enough documentation on the keep
>alives/state for ipfilter. I'm still searching...
>
>Thanks for the help. -Anne
>
>-----Original Message-----
>From: redhat-list-bounces at redhat.com
>[mailto:redhat-list-bounces at redhat.com]
>On Behalf Of McDougall, Marshall (FSH)
>Sent: Tuesday, December 04, 2007 3:49 PM
>To: General Red Hat Linux discussion list
>Subject: RE: red hat firewall question
>
>Sorry, didn't realize that there were external forces
>(firewall) in play
>here. Might there be a better solution from the client side?
>We have FW
>issues like that here(our timeouts are 20 minutes) and we
>mitigate it by
>turning on "keep alives" in the putty, DB client, etc.
>
>Regards, Marshall
>
>>-----Original Message-----
>>From: redhat-list-bounces at redhat.com
>>[mailto:redhat-list-bounces at redhat.com] On Behalf Of Anne Moore
>>Sent: Tuesday, December 04, 2007 11:09 AM
>>To: 'General Red Hat Linux discussion list'
>>Subject: RE: red hat firewall question
>>
>>Hi Marshall
>>
>>Well I've already determined that this will fix the issues.
>>The problem is
>>indeed with our firewall and it cannot be changed due to our security
>>policy. Thus, I created a script that continually pings every 30
>>seconds and that keeps the logons alive.
>>
>>So, if I can get the firewall to do it's own version of "ping"
>>using "keep
>>state" then it will take affect for all tcp connections to
>the server.
>>Since I know that this will fix all of our disconnection
>issues, and it
>>appears to be a very easy fix, then I'm going to go ahead and get it
>>completed.
>>
>>However, I don't know how to properly use "keep state" with my
>>firewall.
>>
>>Any ideas on this? I just don't know much about Ipfilter and
>the proper
>>syntax.
>>
>>Thank you again for your help.
>>
>>Anne
>>
>>
>>
>>-----Original Message-----
>>From: redhat-list-bounces at redhat.com
>>[mailto:redhat-list-bounces at redhat.com]
>>On Behalf Of McDougall, Marshall (FSH)
>>Sent: Tuesday, December 04, 2007 11:54 AM
>>To: General Red Hat Linux discussion list
>>Subject: RE: red hat firewall question
>>
>>
>>
>>>-----Original Message-----
>>>From: redhat-list-bounces at redhat.com
>>>[mailto:redhat-list-bounces at redhat.com] On Behalf Of Anne Moore
>>>Sent: Tuesday, December 04, 2007 10:28 AM
>>>To: 'General Red Hat Linux discussion list'
>>>Subject: red hat firewall question
>>>
>>>Hi All
>>>
>>>I figured out a way, I think, to keep my connections alive while my
>>>users are connected to my Red Hat Enterprise 4 servers.
>>>
>>>I thought I would create a firewall rule (or something like
>>>that) that keeps
>>>tcp alive (keep-state?).
>>>
>>>Something like this:
>>>
>>>"allow tcp from any to any keep-state"
>>>
>>>What do you all think? Is this the correct syntax to use to keep tcp
>>>connections alive? or is there a better way?
>>>
>>>Thank you again for your help.
>>>
>>>Anne
>>
>>
>>Anne.
>>
>>I think you see the symptom, but you don't yet understand
>your problem,
>>and are hoping that this will solve it. I would be looking at the
>>overall network config, because with a properly configured
>server there
>>is no reason for your it to be dumping connections after 1 minute.
>>
>>Regards, Marshall
>>
>>--
>>redhat-list mailing list
>>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>https://www.redhat.com/mailman/listinfo/redhat-list
>>
>>--
>>redhat-list mailing list
>>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>https://www.redhat.com/mailman/listinfo/redhat-list
>>
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list
>
More information about the redhat-list
mailing list