IOS firewall

gcumarasamy · ‎11-24-2002

I am trying to understand why in IOS firewall the default TCP Finwait-time is 5 second..Why is this??

My understaning is once there is a TCP FIN packet that session is closed and the firewall should not be keeping that stste information for that session..

Can someone tell me why IOS firewall keeps the state info for a sesion that is already closed??

THanks in advance.

a-vazquez · ‎12-02-2002

This time of 5 seconds might be given to allow the session to close 'normally'. A segment sent by a TCP 'peer' (say Host A) with the FIN bit set, indicates closing of a connection in one direction only. The other end (Host B) which receives the segment, acknowledges this segment. Now, the session is closed in one direction only. No more data can flow from Host A to Host B (except acknowledgement packets). However, data can continue to flow in the other direction, from Host B to Host A, till Host B too decides that it would like to close the session to A. That is when B sends a segment with the FIN bit set to Host A. It is only now that TCP deletes it's record of the coneection.

I guess, on receiving a FIN segment, the firewall expects the session to be closed in the other direction too. What it might be doing is to give 5 secs for the process to be over, after which it forces the record to be cleared. I feel, this does make sense from the security point of view, where sufficient time is given for normal termination of connection after which the connection is cleared any way.