Disable TCP timeout for one service

[BarryStiefel]

Disable TCP timeout for one service



In 3.0 versions of FireWall-1, you could eliminate them by setting the timeout to zero for either a specific service or by setting the TCP_TIMEOUT value to zero. In 4.0 and 4.1, a zero timeout results in a 60 second timeout. There is no way to disable TCP Timeouts in FireWall-1 4.x, though you can always set the TCP Timeout to the maximum, which is 24 hours.

In NG FP3 HF2 (and possibly AI), a zero timeout corresponds to the default timeout of 3600 seconds. If you absolutely need to disable timeouts for a service because the vendor of your application refuses to implement a "heart beat", this is how you would do it:

From dbedit, type:modify services timeout 2147483647update services Alternatively, make the same change through GUIDbEdit.



Remarks:

1. Currently, there is no way to configure it from the GUI, since GUI blocks values larger then 9999.
2. The value above is used internally by the kernel to specify infinite-time connections. However, if you set any smaller number in that range, you still get connections that should last many years.

I don't even want to think about the security implications of leaving idle TCP connections open forever, but my gut tells me that this is not a good idea. I do know that SecuRemote will misbehave if the timeout is set to zero. Other things will probably misbehave as well. PhoneBoy does not recommend doing this.

-- GuyR - 12 Jan 2004

FAQForm FAQs.Class: ServicesFAQs FAQs.OS: FAQs.Version: