red hat firewall question

[Anne Moore]

<<The correct fix is to lart the sekuritee moron and change the default keep
alive value.>>

ROFL! You poor guy, you must have a small little wee-wee to be so pissed off
at life. Why not get one of those wee-wee pump's to help you??


-----Original Message-----
From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com]
On Behalf Of Steve Phillips
Sent: Tuesday, December 04, 2007 7:39 PM
To: General Red Hat Linux discussion list
Subject: Re: red hat firewall question

Anne Moore wrote:
> Hi Marshall
> 
> Well I've already determined that this will fix the issues. The 
> problem is indeed with our firewall and it cannot be changed due to 
> our security policy. Thus, I created a script that continually pings 
> every 30 seconds and that keeps the logons alive.

This is part of the problem with 'sekuritee people' that don't actually
understand the protocols.

TCP Keepalives are supposed to work to allow servers to figure out that
persistent connections that have not sent data are still there - the RFC
states that this should not default to anything less than 2 hours (its
possible, but not advised)

http://www.uic.rsu.ru/doc/inet/tcp_stevens/tcp_keep.htm for a good, easy to
read writeup

http://www.faqs.org/rfcs/rfc1122.html is the host requirements RFC, section
4.2.3.6 deals with keep alives.

There are a number of reasons for this default (explained nicely in the
first link) and most sekuritee people cause no end of headaches for
systems/network people when they start fiddling with this value in the name
of 'sekuritee !'

It is completely normal for a TCP session to be idle, and it is also
completely normal for it to wake up hours later and send data, this is
simply how stuff works in the IP world, and what it appears is happening is
that your ssh sessions are (as would be expected) idle for a few minutes and
due to some sekuritee 'professional' deciding that this could NEVER happen,
your user sessions are being disconnected. The correct fix is to lart the
sekuritee moron and change the default keep alive value. If they want to
enforce logoff on idle sessions then install or enable this on the servers.
Changing these values on a firewall can have some VERY undesirable and
difficult to fault-find consequences. (I had one instance where someone had
set the value to 30 mins, oracle was timing out connections and things would
sporadically work, not work, then semi work - took the best part of a day to
fault find.)

The primary purpose of keep alives is to enable the host to not exhaust its
resources by having 65500 dead yet open telnet/ssh/tcp sessions and being
able to close these after a defined period., the firewall not working in
sync with the host just compounds this problem, and depending on the number
of users/types of processes, can actually cause the problem that keep alives
are supposed to prevent.


--
Steve
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list