10/24 Using Check-point FW1, i have a 1 hour time-out which is very annoying
to me. i would like to eliminate it or make it VERY high. Is this a
really dumb thing to do, or is it only a slight risk for a lot of
benefit?
\_ You mean the TCP session idle timeout for NAT sessions or sessions
for which FW1 is supposed ot keep state? I don't know about FW1 but
IP Filter commonly used on *BSD has this timeout set to a really
large value, something like 24 hours or so. The Linux 2.2 ipchains
by default sets a very large timeout value too. I don't think this
is big security risk but if you have a very large number of idle
connections (e.g. thousands..), the software might run out of
entries in its session state table.
\_ earlier versions of IPFilter had a limit of 1024 state table
entries--it's now been fixed. We have the same problem with
FW-1; basically, it only comes into play when you have a
connection that's idle for over 1 hour. The idiotic thing
with this value is that it's a global setting, and can't be
done application-specific (ObFW1SucksPlug). I don't believe
there's not much of a security risk; part of the reason it
was done was to prevent idle connection hijacking. You can
get around it by running a simple script that echoes a single
character on the target host every x minutes, assuming it's
a login session. If it's not (something like database,
whatever) just set it to a reasonable level (2-3 hours) if
you really need to. -John |