Each flow or connection is identifiable by the set of parameters that makes it unique; two of these parameters are the network addresses of the two end-points. For protocols that support multiplexing of multiple flows or connections to/from a single network address - UDP and TCP both support this - the remaining parameters are the identifiers used to do the multiplexing. For both UDP and TCP, this identifier is a port-number, whose scope is local to the end-point, and is therefore usually different at each end-point for a given flow/connection.
Normally, only one of the two port-numbers involved will be known a priori - this will be the documented port-number used for a specific service at the server end (for example, port 80 for an HTTP service); the other is dynamically chosen from the available pool of unused port numbers at the client end.
Therefore the filter criteria can only specify that known port-number; the other port-number can only be determined by inspection of the IP packet payloads, discovering which protocol is being carried, and using knowledge of the protocol to extract the port-number.
This information must then be stored, and held for a duration not less than the duration that communications occur over the flow or connection. This information defines a session, and is stored in the session-table. The key point of the session table entry is that it will then cause return traffic to be allowed, and sent to the correct place. Without the session table entry, the FB9000 would have no way of knowing that the return traffic is part of an allowed (by firewalling rules) session, and it would likely be dropped due to firewalling.
The overall process of analysing packet payloads and maintaining the session-table is referred to as session-tracking.
Session-tracking is necessary to be able to implement firewalling using the kind of rules you might expect to specify - for example:
"allow TCP connection to port 80 on IP address 10.1.2.3, from any IP address" (note source port number not specified)
Session-tracking will therefore be present in a firewall, but not required in a router.
The contents of the session-table can be viewed in the web user interface by clicking "Sessions" in the "Status" menu. You will normally see two entries per session, one with a green background and one with a yellow background. These two 'entries' are the forward and reverse details of the session.
For connection-orientated protocols such as TCP, the session-tracking is able to detect connection closure and delete the session from the session-table.
For protocols such as UDP, which will likely be carrying a higher-level protocol that may well itself implement some form of connection-orientated data transfers, further inspection and analysis of communications is not done by the FB9000. To do so would require support for a very wide range of protocols that are carried over UDP, and this is generally not practical.
Instead, all sessions (including TCP ones) have an associated time-out value - if no packets matching the session arrive for a period equal to the time-out value, the session is deleted automatically. This is adequate for most cases, but may require selection of a suitable time-out value based on knowledge of how frequently the higher-level protocol sends packets. An unnecessarily high time-out may cause the session-table to become populated with a significant number of sessions that correspond to flows or connections that have actually ceased.
However, the FB9000 has highly efficient handling of session tracking, both in terms of memory usage and processor load, so in practice it can easily handle very large session tables (hundreds of thousands of entries).
Note that TCP sessions also have time-outs; this is necessary since the connection may not be cleanly closed, for example one end may crash - if there were no time-out, the session-table would hold a stale entry until the FB9000 was rebooted.
The default timeouts for various session types are shown in Table 7.1.
Table 7.1. Default timeouts for session tracking
Session type and state | Default timeout |
Blocked | 10s |
TCP initial connect | 10s |
TCP established | 1h |
TCP closed | 2s |
TCP closed (NAT) | 2m |
UDP initial | 10s |
UDP ongoing | 2m |
RFC4787 UDP initial | 10s |
RFC4787 UDP ongoing | 3s |
ICMP initial | 3s |
ICMP ongoing | 3s |
IPSEC initial | 1m |
IPSEC ongoing | 1h |
Other initial | 10s |
Other ongoing | 5m |