red hat firewall question

Ian Lists ian-list at securitypimp.com
Wed Dec 5 16:22:56 UTC 2007 

Have you tried setting the following options in your servers' sshd_config files?

KeepAlive yes
ClientAliveInterval 60


Ian

----- "Anne Moore" <diabeticithink at yahoo.com> wrote:
> Well yes, I could ask all of our clients to do that with each of
> their
> programs, or I could just do it once time on the Red Hat box and it
> will
> take care of everything. As you can see it'll be much easier to do it
> on
> just the one Red Hat box.
> 
> My problem is that I cannot find enough documentation on the keep
> alives/state for ipfilter. I'm still searching...
> 
> Thanks for the help. -Anne 
> 
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com]
> On Behalf Of McDougall, Marshall (FSH)
> Sent: Tuesday, December 04, 2007 3:49 PM
> To: General Red Hat Linux discussion list
> Subject: RE: red hat firewall question
> 
> Sorry, didn't realize that there were external forces (firewall) in
> play
> here.  Might there be a better solution from the client side?  We have
> FW
> issues like that here(our timeouts are 20 minutes) and we mitigate it
> by
> turning on "keep alives" in the putty, DB client, etc.
> 
> Regards, Marshall 
> 
> >-----Original Message-----
> >From: redhat-list-bounces at redhat.com
> >[mailto:redhat-list-bounces at redhat.com] On Behalf Of Anne Moore
> >Sent: Tuesday, December 04, 2007 11:09 AM
> >To: 'General Red Hat Linux discussion list'
> >Subject: RE: red hat firewall question
> >
> >Hi Marshall
> >
> >Well I've already determined that this will fix the issues. 
> >The problem is
> >indeed with our firewall and it cannot be changed due to our security
> 
> >policy. Thus, I created a script that continually pings every 30 
> >seconds and that keeps the logons alive.
> >
> >So, if I can get the firewall to do it's own version of "ping" 
> >using "keep
> >state" then it will take affect for all tcp connections to the
> server. 
> >Since I know that this will fix all of our disconnection issues, and
> it 
> >appears to be a very easy fix, then I'm going to go ahead and get it
> 
> >completed.
> >
> >However, I don't know how to properly use "keep state" with my 
> >firewall.
> >
> >Any ideas on this? I just don't know much about Ipfilter and the
> proper 
> >syntax.
> >
> >Thank you again for your help.
> >
> >Anne
> >
> >
> >
> >-----Original Message-----
> >From: redhat-list-bounces at redhat.com
> >[mailto:redhat-list-bounces at redhat.com]
> >On Behalf Of McDougall, Marshall (FSH)
> >Sent: Tuesday, December 04, 2007 11:54 AM
> >To: General Red Hat Linux discussion list
> >Subject: RE: red hat firewall question
> >
> > 
> >
> >>-----Original Message-----
> >>From: redhat-list-bounces at redhat.com
> >>[mailto:redhat-list-bounces at redhat.com] On Behalf Of Anne Moore
> >>Sent: Tuesday, December 04, 2007 10:28 AM
> >>To: 'General Red Hat Linux discussion list'
> >>Subject: red hat firewall question
> >>
> >>Hi All
> >>
> >>I figured out a way, I think, to keep my connections alive while my
> 
> >>users are connected to my Red Hat Enterprise 4 servers.
> >>
> >>I thought I would create a firewall rule (or something like
> >>that) that keeps
> >>tcp alive (keep-state?).
> >>
> >>Something like this:
> >>
> >>"allow tcp from any to any keep-state"
> >>
> >>What do you all think? Is this the correct syntax to use to keep tcp
> 
> >>connections alive? or is there a better way?
> >>
> >>Thank you again for your help.
> >>
> >>Anne
> >
> >
> >Anne. 
> >
> >I think you see the symptom, but you don't yet understand your
> problem, 
> >and are hoping that this will solve it.  I would be looking at the 
> >overall network config, because with a properly configured server
> there 
> >is no reason for your it to be dumping connections after 1 minute.
> >
> >Regards, Marshall
> >
> >--
> >redhat-list mailing list
> >unsubscribe
> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> >https://www.redhat.com/mailman/listinfo/redhat-list
> >
> >--
> >redhat-list mailing list
> >unsubscribe
> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> >https://www.redhat.com/mailman/listinfo/redhat-list
> >
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list