Anton may be right, but ...
This made me ask myself another question. Are cookie requests started be
the http server attempting a connection to the machine on the other side of
the firewall (ie a new TCP sessions) or is it imbedded in the TCP/ACK of
your http [port 80] packet? Leading me to ...
Can cookies be blocked be a firewall? I most certaintly would LOVE to do
this.
Urban
After posting yesterday, I have received several replies and
have done some more investigation.
Several people have suggested that this could be caused by
cookies....Based on my understanding of client and server
side cookies I disagree. Cookies are just special data or
additional URL info passed in a normal HTTP request/response.
The problem I see seems to be initiated after the firewall
has destroyed the user's connection....Like the server is
trying to re-establish the old connection. I know of lots of
sites with cookies that have never given me this problem.
Here's what I am beginning to think the problem actually is.
This problem is sometimes difficult to reproduce at will, but
I think it is caused by the proxy session timeouts. Proxies
have session establish timeouts [Sidewinder defaults to
30sec, unsure of others] that destroy a connection attempt
after a certain period. What I think is happening is that
sometimes a site is _very_ slow to respond to a request [more
than 30sec in my case], and the firewall destroys the
connection pathway after the proxy times out. When the
server is finally able to send the reply, the firewall logs
it as a failed attempt on an unauthorized dest port [your
original source port from the F/W] with an HTTP source port
from the server [your original dest port].
Here's one way to test this [your mileage may vary, and your
test candidate may suffer for a bit]:
-With Netscape [others would prob. work well also] pick a
site outside your proxy that already seems somewhat slow/busy
[www.aol.com comes to mind].
-After loading the URL, hold down on <CTRL> <R> (reload) for
about 30 seconds. This will make gobs of requests and should
make the server really busy.
-Netscape should show the message "connect: server xx.xx.com
contacted, waiting for reply" for at least 45secs.....wait a few
minutes [depends on the server] and take a look at your logs.
If you didn't crash the server with this load, then you
should see an entry in your logs for a failed connection from
your test host.
I guess this problem could be reduced by increasing the proxy
timeouts
to several minutes.....but what sort of risk does this pose?
Anton Rager
arager @
McGraw-Hill .
com
------------------------------------------------------------
Urban A. Haas
Open Systems and Network Consulting
Total Solutions Group
Phone: (800) 423-8741 Ext. 133; Fax: (612) 831-0509
Internet: uhaas @
tsg-usa .
com -or- mailto:uhaas @
tsg-usa .
com
------------------------------------------------------------
|
|
