Re: ip contrack problem, not strictly followed RFC, DoS very muchpossible

[Lee Revell]

On Mon, 2004-12-06 at 20:11 +0100, Jose Luis Domingo Lopez wrote:
> It is not unusual the need to tweak the settings for several commercial
> firewalls I work with in several customers to raise the default timeouts
> for TCP connection tracking, because some application breaks if the
> connection gets put out of the firewalls' connection tables and the
> traffic dropped.
> 
> Many times is just "my users are too lazy to double click the 'start
> connection' icon again when they come from their breakfast, and want to be
> able to enter commands on the remote host again". But at least, the
> parameter is tunable in recent kernel versions, and not hardcoded in the
> kernel sources like it was some time ago.

This is not an application problem.  TCP is a reliable, connection
oriented protocol.  Users are right to expect that their TCP connections
do not get timed out by an overzealous firewall because the user did not
type anything in an SSH window for 20 minutes.

The problem here is that your firewall is too dumb or your firewall
rules too aggressive to distinguish a valid connection from a security
threat.  Please don't blame the users.

Lee

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/