These values help
determine when to drop sessions that do not become fully established. This also helps to free up system
resources, dropping sessions after a specified amount of idle time. CBAC sends a reset message for all dropped
sessions to both sides (source and destination) of the session. The system receiving the reset message releases
the incomplete connection from its process, thereby clearing the resource allocation table.
CBAC monitors the thresholds in the following three ways:
The total number of half-open TCP or UDP sessions
The number of half-open sessions based on time
The number of per-host half-open TCP sessions
The Session State Table
CBAC maintains a session state table with connection information, such as the source/destination IP addresses,
source/destination port numbers, and the application protocol information. For every incoming packet that CBAC
inspects, the state table is updated with all the information. This information is used to punch a dynamic hole in
the firewall access list for the return traffic. Return traffic will be permitted back through the firewall only if an
entry in the state table indicates that the packet belongs to a permissible session.
Pages:
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218