Date: Thu, 12 Apr 2001 10:56:38 -0600 From: Lyndon Nerenberg <lyndon@orthanc.ab.ca> To: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw dynamic rulesets broken for me Message-ID: <200104121656.f3CGuci23431@orthanc.ab.ca> In-Reply-To: Your message of "Wed, 11 Apr 2001 23:31:16 PDT." <15061.19380.659608.578985@horsey.gshapiro.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Gregory" == Gregory Neil Shapiro <gshapiro@FreeBSD.ORG> writes: Gregory> I tried switching from using the established check to Gregory> keeping state and it isn't work as expected. Dynamic Gregory> rules timeout on open connections (e.g., ssh connections Gregory> that I haven't used for about 10 minutes but are still Gregory> open). ipfw has insanely short timeouts for the keep-state engine. Add this to /etc/sysctl.conf (adjusted to a suitable value for your network): # TCP connections time out after eight hours. net.inet.ip.fw.dyn_ack_lifetime=28800 --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104121656.f3CGuci23431>