The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: TCP Timeout for a Specific Service

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


Q:

Is there a way to set the timeout for a specific service? For instance, I want to make the timeout value for an HTTP connection 100 seconds whereas I'd like to have the rest of my services have a timeout value of 1800 seconds.

A:

This can be done for simple TCP services. For non-simple TCP services that FireWall-1 handles (e.g. RealAudio or SQLNet 2), you will need to search through $FWDIR/lib/.def (and $FWDIR/lib30/.def in FireWall-1 4.x) for code that relates to that service and change occurrences of TCP_TIMEOUT to whatever value (in seconds) you want the service to have. Once the prerequisite changes have been made on the management console, you will need to re-install your security policy for this to take effect.

NG

In the NG release of FireWall-1, the TCP Timeout can be defined in the TCP service itself in the Advanced section.

FireWall-1 4.x

In FireWall-1 4.x, if you want to set the FTP Control Connection timeout, edit the following line in $FWDIR/lib/init.def:

    #define FTP_CONTROL_TIMEOUT timeout

where timeout is the timeout value in seconds. For other services, add the following line (including the comma) in $FWDIR/lib/init.def:

    ADD_TCP_TIMEOUT(port,timeout),

Right before the line that says:

    ADD_TCP_TIMEOUT(0,0)

Where port specifies the TCP port and timeout specifies the number of seconds.

If you use Provider-1: $FWDIR/lib/init.def should be modified on the CMA (aka Provider-1 MDS server: /opt/CPmds-41/customers//fw41/lib/init.def) and not the firewall. I believe by default, every CMA on a MDS server use a global lib directory (/opt/CPmds-41/fw41/lib) that is symlinked from the CMA directory, so rm the link and copy the lib directory over; then make changes if you don't want the changes to be global. (Thanks to Jason Avery for this tip)

FireWall-1 3.x

In FireWall-1 3.0, the base.def, the following macro will need to be changed:

    #define TCP_ESTABLISHED_RECORD(con,key,type) \ 
     ( \             \ 
      ((type & _TCP_ESTABLISHED) = 0, not_first, \ 
        set type (type | _TCP_ESTABLISHED), \ 
              record <con;key,type @TCP_TIMEOUT > in connections \ 
       ) or 1 \              \ 
     )

This macro establishes the TCP Timeout for simple TCP connections. For the connection, it records TCP_TIMEOUT as the timeout value for the connection in this case, it will be 1800 seconds as set by the GUI.

If you want http to have a timeout of 100 seconds, change it so it reads:

    #define TCP_ESTABLISHED_RECORD(con,key,type) \ 
     ( \ 
      ((type & _TCP_ESTABLISHED) = 0, not_first, \ 
        set type (type | _TCP_ESTABLISHED), \ 
              ((dport = 80, record <con;key,type @100 > in connections) \ 
      or record <con;key,type @TCP_TIMEOUT> in connections) \ 
       ) or 1 \ 
     )

This means:

  • When the destination port is 80 (i.e. HTTP connections), set the timeout to 100 seconds.
  • For all other connections, set the timeout to TCP_TIMEOUT seconds

Timeouts Beyond 2 Hours

I've had problems setting timeouts beyond two hours. You may be able to get around this limitation by specifying the timeout as 3600 * n above (not the actual result of the multiplication, but actually using 3600*n), where n is the number of hours. A timeout of zero will result in a timeout of 60 seconds. In any case, you cannot set the timeout to be any larger than 24 hours (or 86400 seconds).

Additional Changes for NAT

If you are also doing NAT on 4.0 SP3 or earlier and you are increasing a timeout for a service past 2 hours, you also need to perform the following additional modifications on your firewall module. The following can be done on a Solaris machine (Check Point has yet to tell me how to do this on an NT box, so don't ask. ;-)

    echo "fwx_tcp_expiration?W 0x<num>" | adb -w -k /dev/ksyms /dev/mem 
    echo "fwx_udp_expiration?W 0x<num>" | adb -w -k /dev/ksyms /dev/mem

where is the number of seconds you'd like to keep hidden connections, converted to hex.

For example, to make the tcp timeout 14,000 seconds type:

    echo "fwx_tcp_expiration?W 0x36B0" | adb -w -k /dev/ksyms /dev/mem

Verifying Changes

If you look at the output of 'fw tab -u -t connections', the last column shows you the connection timeout value. In 4.0 and later, you can also do an "fw tab -t tcp_timeouts -u", which shows the port and timeout on each line.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.