From owner-freebsd-stable  Mon Jan 14 20:20:14 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from damnhippie.dyndns.org (12-253-177-2.client.attbi.com [12.253.177.2])
	by hub.freebsd.org (Postfix) with ESMTP id C1B3E37B41A
	for <stable@freebsd.org>; Mon, 14 Jan 2002 20:20:11 -0800 (PST)
Received: from [172.22.42.2] (peace.hippie.lan [172.22.42.2])
	by damnhippie.dyndns.org (8.11.6/8.11.1) with ESMTP id g0F49tR39381
	for <stable@freebsd.org>; Mon, 14 Jan 2002 21:09:55 -0700 (MST)
	(envelope-from freebsd@damnhippie.dyndns.org)
User-Agent: Microsoft Outlook Express Macintosh Edition - 5.01 (1630)
Date: Mon, 14 Jan 2002 21:10:00 -0700
Subject: Re: tcp keepalive and dynamic ipfw rules
From: Ian <freebsd@damnhippie.dyndns.org>
To: <stable@freebsd.org>
Message-ID: <B868F9A8.91F2%freebsd@damnhippie.dyndns.org>
In-Reply-To: <GCA67273WQ2HBXUKHUOB6JNLOFDKF.3c439ad3@VicNBob>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG


>>> My solution to keep my ssh sessions from hanging because I made a cup
>>> of coffe was to up the syctl MIB 'net.inet.ip.fw.dyn_ack_lifetime' to
>>> a more reasonable value.
>> 
>> So, non-active TCP sessions can now get packets through since the
>> lifetime of the rules now exceed the lifetime of many of your TCP
>> sessions, so I can now watch your firewall and punch packets through it
>> by analyzing the data.
>> 
>> (In short, anyone good enough to punch through packets using the other
>> firewall setup is also capable of punching through packets with extended
>> lifetime TCP dynamic rules.)
> 
> Is ipfw really that dumb?
> [snip]

No, it's not that dumb.  The implication of Nate's reply was wrong.  When a
tcp connection closes a dynamic rule involving that connection is changed
from the dyn_ack_lifetime period (which can safely be long) to the
dyn_fin_lifetime period which by default is fairly short.

If you use dynamic rules and human-interactive connections that involve the
dynamic rules (such as ssh, ftp, etc) then it makes sense for your dyn_ack
lifetime to be longer than the tcp keepalive period (if you want to leave
terminal sessions open indefinitely), or at least longer than you're likely
to be away recycling coffee.

-- Ian


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message