News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: TCP sessions timing out and being blocked by the firewall
Pages: [1]
Topic: TCP sessions timing out and being blocked by the firewall  (Read 2985 times)
« on: November 18, 2008, 00:41:51 »
pdunai *
Posts: 5
Hi Members,

I'm new to Monowall and as such seem to have come unstuck and can't find relavent information.
I have a situation where the TCP session state time out (TTL) on the firewall before the real session terminates and as such when additional packets are sent end to end they are blocked because they are no longer in the state table. I did set the "default" time out session to 10000 seconds (previous default 2.5 hours) but certain TCP session seem to only be about 4 minutes. Below is a filtered view of the state table showing TCP sessions with a large time out and others with a small value. How do I make them all time out after 10000 second? As you can see it appears that any TCP sessions with a destination address of 192.168.0.21 and port 8080 have a very short initial time out (TTL) setting. Although not seen in this table I have seen when TTL value for a similar session was in the order of 2.5 hours. Not sure why they are different.

Source Port Destination Port Protocol Packets Bytes TTL 
192.168.2.59 1127 192.168.0.21 23   tcp 708 59967 2:46:20
192.168.2.62 1114 192.168.0.21 3050 tcp 1025 77456   2:46:18
192.168.1.67 2128 192.168.0.21 3050 tcp 1198 91008   2:46:14
192.168.2.59 1122 192.168.0.21 3050 tcp 2913 217748  2:46:09
192.168.1.67 2132 192.168.0.21 23   tcp 93   4297    2:46:03
192.168.1.64 3921 192.168.0.21 3050 tcp 634  47456   2:45:53
192.168.1.83 3653 192.168.0.21 3050 tcp 499  40280   2:45:31
192.168.1.83 3658 192.168.0.21 23   tcp 57   2559    2:45:14
192.168.1.83 3659 192.168.0.21 7177 tcp 5    250     2:45:13
192.168.1.64 3924 192.168.0.21 7177 tcp 5    250     2:42:59
192.168.1.64 3923 192.168.0.21 23   tcp 60   2786    2:42:59
192.168.1.67 2133 192.168.0.21 7177 tcp 5    250     2:42:56
192.168.2.56 1121 192.168.0.21 23   tcp 56   2519    2:42:51
192.168.2.56 1122 192.168.0.21 7177 tcp 5    251     2:42:50
192.168.2.56 1072 192.168.0.21 3050 tcp 130  9248    2:42:28
192.168.2.58 1146 192.168.0.21 3050 tcp 416  30684   2:13:38
192.168.2.58 1150 192.168.0.21 23   tcp 54   3510    2:13:31
192.168.2.58 1151 192.168.0.21 7177 tcp 5    251     2:13:30
192.168.2.62 1119 192.168.0.21 23   tcp 55   3550    2:11:46
192.168.2.62 1120 192.168.0.21 7177 tcp 5    251     2:11:45
192.168.2.65 1141 192.168.0.21 3050 tcp 560  41728   2:10:12
192.168.2.65 1144 192.168.0.21 23   tcp 64   4004    2:07:15
192.168.2.59 1128 192.168.0.21 7177 tcp 5    251     2:06:57
192.168.1.67 2138 192.168.0.21 8080 tcp 13   4639       3:54
192.168.2.59 1139 192.168.0.21 8080 tcp 5    1160       3:49
192.168.1.83 3657 192.168.0.21 8080 tcp 12   3631       2:43
192.168.2.62 1126 192.168.0.21 8080 tcp 9    2120       2:04
192.168.3.210 137 192.168.0.21 137  udp 1    78         1:15
192.168.1.64 3922 192.168.0.21 8080 tcp 12   3629       0:27
192.168.2.56 1120 192.168.0.21 8080 tcp 12   3617       0:08

Any assistance would be appriciated
« Reply #1 on: November 25, 2008, 02:13:12 »
pdunai *
Posts: 5
does anyone know how to change the TTL time out value for different types of sessions. They don't all seem to be controlled by the parameter under "advanced settings" firewall 

"Idle TCP connections will be removed from the state table after no packets have been received for the specified number of seconds. Don't set this too high or your state table could become full of connections that have been improperly shut down. The default is 2.5 hours." etc
« Reply #2 on: November 25, 2008, 08:12:33 »
Manuel Kasper
Administrator 		*****
Posts: 364
The timeout depends on the state of the session; the "idle timeout" only applies in the normal, fully established state. In any other of TCPs numerous states (e.g. last-ack, close-wait, time-wait etc.), other/shorter timeouts apply, for a good reason. These shouldn't really cause problems in practice, as they won't affect a properly established connection.

From /sys/contrib/ipfilter/netinet/ip_state.c:

u_long  fr_tcpidletimeout = IPF_TTLVAL(9000),
        fr_tcpclosewait = IPF_TTLVAL(2 * TCP_MSL),
        fr_tcplastack = IPF_TTLVAL(30),
        fr_tcptimeout = IPF_TTLVAL(2 * TCP_MSL),
        fr_tcptimewait = IPF_TTLVAL(2 * TCP_MSL),
        fr_tcpclosed = IPF_TTLVAL(30),
        fr_tcphalfclosed = IPF_TTLVAL(240),
        fr_udptimeout = IPF_TTLVAL(120),
        fr_udpacktimeout = IPF_TTLVAL(240),
        fr_icmptimeout = IPF_TTLVAL(60),
        fr_icmpacktimeout = IPF_TTLVAL(6),
        fr_iptimeout = IPF_TTLVAL(60);

These can be tuned by changing the appropriate sysctls (ipf needs to be disabled and re-enabled for the sysctls to be writable); you could probably do this using <earlyshellcmd> tags in config.xml. However, I don't think changing the non-established timeouts will solve your problem.
« Reply #3 on: November 27, 2008, 02:44:49 »
pdunai *
Posts: 5
Hi Manuel, thankyou very much for your comment. I now understand the problem far better and can see (via a sniffer) why the Monowall behaves as it does. I believe ithe problem may be a miss behaving application that leaves connections in the half closed state for excessive time. At this stage I probably wont be modifying timeout parameters.

Thanks again
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines