Date: Mon, 14 Jan 2002 21:10:00 -0700 From: Ian <freebsd@damnhippie.dyndns.org> To: <stable@freebsd.org> Subject: Re: tcp keepalive and dynamic ipfw rules Message-ID: <B868F9A8.91F2%freebsd@damnhippie.dyndns.org> In-Reply-To: <GCA67273WQ2HBXUKHUOB6JNLOFDKF.3c439ad3@VicNBob>
next in thread | previous in thread | raw e-mail | index | archive | help
>>> My solution to keep my ssh sessions from hanging because I made a cup >>> of coffe was to up the syctl MIB 'net.inet.ip.fw.dyn_ack_lifetime' to >>> a more reasonable value. >> >> So, non-active TCP sessions can now get packets through since the >> lifetime of the rules now exceed the lifetime of many of your TCP >> sessions, so I can now watch your firewall and punch packets through it >> by analyzing the data. >> >> (In short, anyone good enough to punch through packets using the other >> firewall setup is also capable of punching through packets with extended >> lifetime TCP dynamic rules.) > > Is ipfw really that dumb? > [snip] No, it's not that dumb. The implication of Nate's reply was wrong. When a tcp connection closes a dynamic rule involving that connection is changed from the dyn_ack_lifetime period (which can safely be long) to the dyn_fin_lifetime period which by default is fairly short. If you use dynamic rules and human-interactive connections that involve the dynamic rules (such as ssh, ftp, etc) then it makes sense for your dyn_ack lifetime to be longer than the tcp keepalive period (if you want to leave terminal sessions open indefinitely), or at least longer than you're likely to be away recycling coffee. -- Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B868F9A8.91F2%freebsd>