PIX 501 - Connection Timeout ?

Discussion in 'Cisco' started by Jimmy, Nov 4, 2003.

  1. Jimmy

    Jimmy Guest

    Could someone post a "25 words or less" explanation of what these
    settings control/indicate (i.e. what is timing out and what is
    "half closed" ?

    timeout conn 0:05:00
    half-closed 0:10:00


    Thanks,
     
    Jimmy, Nov 4, 2003
    #1
    1. Advertisements

  2. Jimmy

    Jimmy Guest

    Jimmy, Nov 5, 2003
    #2
    1. Advertisements

  3. Jimmy

    Sutto Guest

    Sutto, Nov 5, 2003
    #3
  4. Jimmy

    Andre Beck Guest

    You may get the full wisdom by "just reading" RFC793. The short version
    is: TCP, when established, is a bidirectional pipe. Either end can send
    (write) and the other end can receive (read) the abstract octet stream
    that TCP implements on top of IP. Now, either end can cease sending at
    some time (by sending a FIN), but this doesn't mean that the whole
    connection is gone - the other side gets an EOF on reading, but it
    can continue to send (write) without any impact and the side that
    ceased writing can still read. *This* is a half-closed connection. In
    most cases, half-closed is a pure transitional state when a TCP
    connection dies, but it doesn't need to be this way. So a firewall might
    limit the lifetime of half-closed connections, but you have to expect
    that protocols that actually make use of them will break if you limit
    them too tight. As long as you aren't using any (I couldn't even name
    one except from handmade proof of concept scripts using netcat), to
    limit them is simple precaution - if they happen, they are likely some
    type of weird scan. Now, fighting scans is fighting windmills anyway
    (IMO it has always been, but since the Idle Scan, it is impossible in
    an objective way), but it also helps the box to free ressources, some-
    thing you want to have plenty of during a DoS.
     
    Andre Beck, Nov 9, 2003
    #4
  5. Jimmy

    Jimmy Guest

    Thanks for the detailed explanation and for not making me read
    the RFC :)
     
    Jimmy, Nov 10, 2003
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.