RE: red hat firewall question

Yes, and it works great for SSH, but nothing else. I have users connecting to 20 different applications on these servers and they are being timed-out after only a 1 minute or so of inactivity.

I know there is a kernel tweak that might work for this, so I'm researching.

thanks

Anne

-----Original Message-----
From: redhat-list-bounces@redhat.com [mailto:redhat-list-bounces@redhat.com] On Behalf Of Ian Lists
Sent: Wednesday, December 05, 2007 11:23 AM To: General Red Hat Linux discussion list Subject: Re: red hat firewall question

Have you tried setting the following options in your servers' sshd_config files?

KeepAlive yes
ClientAliveInterval 60

Ian

• "Anne Moore" <diabeticithink@yahoo.com> wrote:
  > Well yes, I could ask all of our clients to do that with each of their
  > programs, or I could just do it once time on the Red Hat box and it
  > will take care of everything. As you can see it'll be much easier to
  > do it on just the one Red Hat box.
  >
  > My problem is that I cannot find enough documentation on the keep
  > alives/state for ipfilter. I'm still searching...
  >
  > Thanks for the help. -Anne
  >
  > -----Original Message-----
  > From: redhat-list-bounces@redhat.com
  > [mailto:redhat-list-bounces@redhat.com]
  > On Behalf Of McDougall, Marshall (FSH)
  > Sent: Tuesday, December 04, 2007 3:49 PM
  > To: General Red Hat Linux discussion list
  > Subject: RE: red hat firewall question
  >
  > Sorry, didn't realize that there were external forces (firewall) in
  > play here. Might there be a better solution from the client side? We
  > have FW issues like that here(our timeouts are 20 minutes) and we
  > mitigate it by turning on "keep alives" in the putty, DB client, etc.
  >
  > Regards, Marshall
  >
  > >-----Original Message-----
  > >From: redhat-list-bounces@redhat.com
  > >[mailto:redhat-list-bounces@redhat.com] On Behalf Of Anne Moore
  > >Sent: Tuesday, December 04, 2007 11:09 AM
  > >To: 'General Red Hat Linux discussion list'
  > >Subject: RE: red hat firewall question
  > >
  > >Hi Marshall
  > >
  > >Well I've already determined that this will fix the issues.
  > >The problem is
  > >indeed with our firewall and it cannot be changed due to our security
  >
  > >policy. Thus, I created a script that continually pings every 30
  > >seconds and that keeps the logons alive.
  > >
  > >So, if I can get the firewall to do it's own version of "ping"
  > >using "keep
  > >state" then it will take affect for all tcp connections to the
  > server.
  > >Since I know that this will fix all of our disconnection issues, and
  > it
  > >appears to be a very easy fix, then I'm going to go ahead and get it
  >
  > >completed.
  > >
  > >However, I don't know how to properly use "keep state" with my
  > >firewall.
  > >
  > >Any ideas on this? I just don't know much about Ipfilter and the
  > proper
  > >syntax.
  > >
  > >Thank you again for your help.
  > >
  > >Anne
  > >
  > >
  > >
  > >-----Original Message-----
  > >From: redhat-list-bounces@redhat.com
  > >[mailto:redhat-list-bounces@redhat.com]
  > >On Behalf Of McDougall, Marshall (FSH)
  > >Sent: Tuesday, December 04, 2007 11:54 AM
  > >To: General Red Hat Linux discussion list
  > >Subject: RE: red hat firewall question
  > >
  > >
  > >
  > >>-----Original Message-----
  > >>From: redhat-list-bounces@redhat.com
  > >>[mailto:redhat-list-bounces@redhat.com] On Behalf Of Anne Moore
  > >>Sent: Tuesday, December 04, 2007 10:28 AM
  > >>To: 'General Red Hat Linux discussion list'
  > >>Subject: red hat firewall question
  > >>
  > >>Hi All
  > >>
  > >>I figured out a way, I think, to keep my connections alive while my
  >
  > >>users are connected to my Red Hat Enterprise 4 servers.
  > >>
  > >>I thought I would create a firewall rule (or something like
  > >>that) that keeps
  > >>tcp alive (keep-state?).
  > >>
  > >>Something like this:
  > >>
  > >>"allow tcp from any to any keep-state"
  > >>
  > >>What do you all think? Is this the correct syntax to use to keep tcp
  >
  > >>connections alive? or is there a better way?
  > >>
  > >>Thank you again for your help.
  > >>
  > >>Anne
  > >
  > >
  > >Anne.
  > >
  > >I think you see the symptom, but you don't yet understand your
  > problem,
  > >and are hoping that this will solve it. I would be looking at the
  > >overall network config, because with a properly configured server
  > there
  > >is no reason for your it to be dumping connections after 1 minute.
  > >
  > >Regards, Marshall
  > >
  > >--
  > >redhat-list mailing list
  > >unsubscribe
  > mailto:redhat-list-request@redhat.com?subject=unsubscribe
  > >https://www.redhat.com/mailman/listinfo/redhat-list
  > >
  > >--
  > >redhat-list mailing list
  > >unsubscribe
  > mailto:redhat-list-request@redhat.com?subject=unsubscribe
  > >https://www.redhat.com/mailman/listinfo/redhat-list
  > >
  >
  > --
  > redhat-list mailing list
  > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
  > https://www.redhat.com/mailman/listinfo/redhat-list
  >
  > --
  > redhat-list mailing list
  > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
  > https://www.redhat.com/mailman/listinfo/redhat-list
  

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related redhat.com Links fedora-list pump-list redhat-announce-list redhat-devel-list redhat-install-list redhat-list redhat-watch-list Request more information about Pantek