republican-creole
site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

US Telco Support > AT&T > AT&T Southeast > 327w firewall "state" rule times out in 10sec?!?

Search Topic:
 Uniqs:
755		 Share Topic
Posting?
Post a:
Post a:
Links: ·AT&T Southeast Forum FAQ ·AT&T Southeast Support ·AT&T Southeast Newsgroup Support ·AT&T Southeast Speed Test
AuthorAll Replies

impala

join:2008-03-08
Clemson, SC

327w firewall "state" rule times out in 10sec?!?

I have BellSouth 327W model D90-327W30-06 fw: 03.08.02

When I try to set the firewall rules to custom or advanced, I have connection problems with various things including slower http. Advanced uses the stateful part of the firewall for most connections.

I added a custom rule to permit stateful outbound ssh traffic. I've discovered if the ssh session is idle for more than 9 seconds, it hangs. I've tested this by using the remote system to ping another system on it's network. -I is the SUN option for ping interval. If I do ping -I 9 XXX then it happily pings away every 9 seconds and the ssh connection doesn't hang. I'm up to over 500 pings and counting. If I do ping -I 10 xxx then it pings 2 or 3 times then the ssh connection hangs.

What this tells me is the stateful part of the firewall times out in less than 10 seconds. That makes it pretty useless. Can someone else confirm?

From what I've observed, this happens even with slow http connections.

Here is the rule I added to the outbound list for ssh
pass to port 22 >> state, done
to forum · permalink · 2008-03-23 18:53:41 ·

impala

join:2008-03-08
Clemson, SC

Here's what my router's help page says about state:

state
Specifies that the TCP/ICMP/IGMP session (particularly the sequence number in the case of TCP and the packet type and source/destination addresses and ports in the case of ICMP and IGMP) associated with this packet will be added to the state table maintained by the filtering engine. As long as that session remains in the state table all packets associated with that session are passed without comparing them to the rules decision tree. The filtering engine state table logic maintains the state of the session with successive packets and closes or times it out (removes it from the state table) whenever appropriate.
The bold is my emphasis. This is normal for the state rule, but 10 seconds is not normal.
to forum · permalink · 2008-03-23 20:18:19 ·

impala

join:2008-03-08
Clemson, SC

reply to impala
for reference, here are my inbound firewall rules:
credit BellSouth 327W and N O Y B in the Westell FAQ for ideas.

title [ Security Level Custom (Medium) IN rules ]
begin
RulesInDropDHCPAddress
drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]
RulesInPassIcmpRequest
pass icmp-type request, to addr %WANADDR%:32 >> done, alert 0 [pinged]
RulesInDropTTL
drop match 3 8 { 01:FE } >> done, alert 3 [TTL of 0 or 1]
# Pass and Log Specific ICMP
RulesInPassICMP
pass icmp-type reply >> done, alert 0 [Ping Reply] # Type: 0 
pass icmp-type exceeded >> done, alert 0 [traceroute reply] # Type: 11 
pass icmp-type unreachable >> done, alert 0 [Dst Unreachable] # Type: 3 
RulesInDropFrom192
drop from addr %LANADDR%:%LANMASK% >> done, alert 4 [WAN Traffic from LAN IP]
# Drop All Unsolicited Inbound
RulesInDropAll
drop all >> done, alert 1 [Drop All Unsolicited Inbound]
end

reject DHCP requests from WAN;
responds to pings and traceroutes;
rejects packets whose TTL will expire;
accept responses to pings and traceroutes;
reject private packets from wan
reject everything else

With these rules I depend on the stateful firewall and NAT for inbound connections, as well as whatever is hard-coded in the 327W.
to forum · permalink · 2008-04-06 14:18:35 ·

impala

join:2008-03-08
Clemson, SC
1 edit

reply to impala
so I've already mentioned that http; https; and ssh fail after approximately 10 seconds of inactivity when I enable the state action in the outbound firewall.

However, NNTP (port 123) and DNS (port 53) fail unless I enable the state action in the firewall; or explicitly enable them for dynamic NAT. They fail because the inbound firewall drops them AFTER NAT does it magic and converts the destination IP. I don't understand the difference between how NAT handles SSH; HTTP; HTTPS; and NNTP; DNS. I suppose SSH; HTTP; and HTTPS are hard-coded for dynamic NAT even though they do not show up in the list of enabled NAT client services? And NNTP; and DNS are not hard-coded and must be manually enabled?

And I still fail to understand how enabling the state action on HTTP; HTTPS; and SSH cause them to fail, even if they are using dynamic NAT.

3   04/06/2008 13:27:38 Inbound       1  RulesInDropAll  Drop All Unsolicited Inbound 
IP Packet Header:
Src Addr : 130.127.8.8  Dest Addr: 192.168.19.239
UDP Packet Header:
   Src Port: 53  Dest Port: 49273
 
4   04/06/2008 13:27:28 Inbound       1  RulesInDropAll  Drop All Unsolicited Inbound 
IP Packet Header:
Src Addr : 17.254.0.27  Dest Addr: 192.168.19.239
UDP Packet Header:
   Src Port: 123  Dest Port: 123
to forum · permalink · 2008-04-06 14:34:47 ·

impala

join:2008-03-08
Clemson, SC

Click for full size
NAT config
and for good measure, the NAT config:
to forum · permalink · 2008-04-06 14:40:24 ·


sashwa
Pixie Cat Crunchin' n Foldin'
Premium,Mod
join:2001-01-29
Alcatraz
kudos:14

Let's see if we can find you some help in our AT&T Southeast forum.

Good luck.

to forum · permalink · 2008-04-06 14:47:26 ·
Forums > US Telco Support > AT&T > AT&T Southeast

Wednesday, 30-May 04:53:19 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics