From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 29 07:17:10 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2443137B401 for ; Tue, 29 Apr 2003 07:17:10 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-5-52.abo.wanadoo.fr [193.252.221.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA4CD43FB1 for ; Tue, 29 Apr 2003 07:17:06 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from sta01 (sta01.lphp.org.local [192.168.0.4]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h3TEGoRs002234; Tue, 29 Apr 2003 16:16:50 +0200 (CEST) (envelope-from ajacoutot@lphp.org) From: Antoine Jacoutot To: Michael Sierchio Date: Tue, 29 Apr 2003 16:16:52 +0200 User-Agent: KMail/1.5.1 References: <200304271259.02025.ajacoutot@lphp.org> <200304291543.47991.ajacoutot@lphp.org> <3EAE82E3.1080704@tenebras.com> In-Reply-To: <3EAE82E3.1080704@tenebras.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200304291616.52730.ajacoutot@lphp.org> cc: freebsd-ipfw@freebsd.org cc: Bruno Afonso Subject: Re: ipfw dynamic rule timeout X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2003 14:17:10 -0000 On Tuesday 29 April 2003 15:49, Michael Sierchio wrote: > Antoine Jacoutot wrote: > > sysctl net.inet.ip.fw.dyn_syn_lifetime=300 > > The default is 20, so it gives a little more time. But I still have > > problem from time to time (clients behind the firewall get disconnected > > from an internet news server after a while reading an article, web > > clients from the internet to the web server get disconnected while > > reading mail from webmail...). > > You're diddling the wrong MIB value. dyn_syn_lifetime is for > half-open connections (three-way handshake not complete). > It's dyn_ack_lifetime that you want to set. But if the problem > is lack of keepalives, you could try Yes, but strangely, it works. The dyn_ack_lifetime is at 300 by default, so I don't think I need top change that. Here are the default values on my system (I didn't touch any value, and it looks similar to the ones you suggested except some values are even bigger): net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.tcp.always_keepalive: 1 net.inet.tcp.keepidle: 7200000 net.inet.tcp.keepintvl: 75000 net.inet.tcp.keepinit: 75000 > and make sure the firewall keepalive options are on. You mean: net.inet.ip.fw.dyn_keepalive: 1 Antoine ps: do you need more informations, like my IPFW ruleset or so ?