[ale] Idle Sockets vs. Firewall question

Greg Freemyer greg.freemyer at gmail.com
Fri Oct 20 13:53:58 EDT 2006 

In my case it is a dedicated server that basically has no function other
than to service this one application.  I could easlily live with a
TCP_KEEPALIVE that impacted all sockets.

Greg

On 10/20/06, Jeff Lightner <jlightner at water.com> wrote:
>
> Unfortunately that is a global change so ALL sockets would have the same
> keepalive value.  You really do NOT want that.
>
> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
> Allan Neal
> Sent: Friday, October 20, 2006 12:20 PM
> To: Atlanta Linux Enthusiasts
> Subject: Re: [ale] Idle Sockets vs. Firewall question
>
> TCP_KEEPALIVE will work if it does it correctly.  It only needs to send
> a
> packet over the socket often enough to keep the timer from timing out.
> The
> TCP_KEEPALIVE is just an empty packet with some flags set to tell the
> application to ignore it, that it is only to keep a TCP socket alive.
>
> Allan
> On Fri, Oct 20, 2006 at 11:57:26AM -0400, Christopher Fowler wrote:
> > If you control the device at the other end I would tweak the
> > tcp_keepalive settings in the kernel.  Maybe drop it down from 2 hours
> > to 10 minutes.  I do not know if the firewalls will consider that
> > traffic or not.
> >
> >
> > On Fri, 2006-10-20 at 10:46 -0400, Greg Freemyer wrote:
> > > All,
> > >
> > > I'm wondering if it is common for firewalls to close idle sockets
> > > after a period of time?
> > >
> > > === Details
> > > I have a Java application that has been in service for years (since
> > > 1999 IIRC), but on a private satellite based data network (vsat).
> > >
> > > We're in the process of moving it to the Internet (which means
> random
> > > firewalls at out client locations), and now we're getting complaints
> > > about non-delivered messages/notifications.
> > >
> > > The way we handle notification is to have the client open a socket
> to
> > > the server and just leave it open (and idle) for hours at a time.
> > > Then when a message needs to be delivered the server simply sends it
> > > down the existing socket.
> > >
> > > Since this is basically the same code that has been in use for a
> while
> > > I doubt that it is a basic client/server issue.  Seems much more
> > > likely it is the network between the 2 which now is a much less
> > > controlled environment than it was with dedicated satellite gear.
> > >
> > > Any other ideas are welcome.
> > >
> > > Thanks
> > > Greg
> > > --
> > > Greg Freemyer
> > > The Norcross Group
> > > Forensics for the 21st Century
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
>
> --
> / ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \
> |  /~~\                                 /~~\  |
> |\ \   |   I would rather be exposed   |   / /|
> | \   /|     to the inconveniences     |\   / |
> |  ~~  |  attending too much liberty   |  ~~  |
> |      |  than to those attending too  |      |
> |      |     small a degree of it.     |      |
> |      |      - Thomas Jefferson       |      |
> |      |                               |      |
> \     |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|     /
>   \   /                                 \   /
>    ~~~                                   ~~~
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>



-- 
Greg Freemyer
The Norcross Group
Forensics for the 21st Century
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the Ale mailing list