327w firewall "state" rule times out in 10sec?!? in AT&T Southeast

327w firewall "state" rule times out in 10sec?!? in AT&T Southeast http://www.dslreports.com/forum/r20213788 en Fri, 11 Dec 2009 00:15:13 EDT Fri, 11 Dec 2009 00:15:13 EDT Re: 327w firewall "state" rule times out in 10sec?!? http://www.dslreports.com/forum/remark,20292356 sashwa : Let's see if we can find you some help in our AT&T Southeast forum.

Good luck. :)]]> http://www.dslreports.com/forum/remark,20292356 Sun, 06 Apr 2008 14:47:26 EDT Re: 327w firewall "state" rule times out in 10sec?!? http://www.dslreports.com/forum/remark,20292321 impala : and for good measure, the NAT config:

NAT config

]]> http://www.dslreports.com/forum/remark,20292321 Sun, 06 Apr 2008 14:40:24 EDT Re: 327w firewall "state" rule times out in 10sec?!? http://www.dslreports.com/forum/remark,20292290 impala : so I've already mentioned that http; https; and ssh fail after approximately 10 seconds of inactivity when I enable the state action in the outbound firewall.

However, NNTP (port 123) and DNS (port 53) fail unless I enable the state action in the firewall; or explicitly enable them for dynamic NAT. They fail because the inbound firewall drops them AFTER NAT does it magic and converts the destination IP. I don't understand the difference between how NAT handles SSH; HTTP; HTTPS; and NNTP; DNS. I suppose SSH; HTTP; and HTTPS are hard-coded for dynamic NAT even though they do not show up in the list of enabled NAT client services? And NNTP; and DNS are not hard-coded and must be manually enabled?

And I still fail to understand how enabling the state action on HTTP; HTTPS; and SSH cause them to fail, even if they are using dynamic NAT.

]]> http://www.dslreports.com/forum/remark,20292290 Sun, 06 Apr 2008 14:34:47 EDT Re: 327w firewall "state" rule times out in 10sec?!? http://www.dslreports.com/forum/remark,20292220 impala : for reference, here are my inbound firewall rules:
credit BellSouth 327W and N O Y B in the Westell FAQ for ideas.

reject DHCP requests from WAN;
responds to pings and traceroutes;
rejects packets whose TTL will expire;
accept responses to pings and traceroutes;
reject private packets from wan
reject everything else

With these rules I depend on the stateful firewall and NAT for inbound connections, as well as whatever is hard-coded in the 327W.
]]> http://www.dslreports.com/forum/remark,20292220 Sun, 06 Apr 2008 14:18:35 EDT Re: 327w firewall "state" rule times out in 10sec?!? http://www.dslreports.com/forum/remark,20214059 impala : Here's what my router's help page says about state:

state
Specifies that the TCP/ICMP/IGMP session (particularly the sequence number in the case of TCP and the packet type and source/destination addresses and ports in the case of ICMP and IGMP) associated with this packet will be added to the state table maintained by the filtering engine. As long as that session remains in the state table all packets associated with that session are passed without comparing them to the rules decision tree. The filtering engine state table logic maintains the state of the session with successive packets and closes or times it out (removes it from the state table) whenever appropriate.

The bold is my emphasis. This is normal for the state rule, but 10 seconds is not normal.]]> http://www.dslreports.com/forum/remark,20214059 Sun, 23 Mar 2008 20:18:19 EDT 327w firewall "state" rule times out in 10sec?!? http://www.dslreports.com/forum/remark,20213788 impala : I have BellSouth 327W model D90-327W30-06 fw: 03.08.02

When I try to set the firewall rules to custom or advanced, I have connection problems with various things including slower http. Advanced uses the stateful part of the firewall for most connections.

I added a custom rule to permit stateful outbound ssh traffic. I've discovered if the ssh session is idle for more than 9 seconds, it hangs. I've tested this by using the remote system to ping another system on it's network. -I is the SUN option for ping interval. If I do ping -I 9 XXX then it happily pings away every 9 seconds and the ssh connection doesn't hang. I'm up to over 500 pings and counting. If I do ping -I 10 xxx then it pings 2 or 3 times then the ssh connection hangs.

What this tells me is the stateful part of the firewall times out in less than 10 seconds. That makes it pretty useless. Can someone else confirm?

From what I've observed, this happens even with slow http connections.

Here is the rule I added to the outbound list for ssh
pass to port 22 >> state, done ]]> http://www.dslreports.com/forum/remark,20213788 Sun, 23 Mar 2008 18:53:41 EDT