From owner-freebsd-ipfw@FreeBSD.ORG  Sun Apr 27 03:59:04 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F2A8137B401
	for <freebsd-ipfw@freebsd.org>; Sun, 27 Apr 2003 03:59:03 -0700 (PDT)
Received: from mx1.lphp.org (APastourelles-107-1-22-138.abo.wanadoo.fr
	[81.248.17.138])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D5AC343FBD
	for <freebsd-ipfw@freebsd.org>; Sun, 27 Apr 2003 03:59:02 -0700 (PDT)
	(envelope-from ajacoutot@lphp.org)
Received: from sta01 (sta01.lphp.org.local [192.168.0.4])
	by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h3RAx1Rs005430
	for <freebsd-ipfw@freebsd.org>; Sun, 27 Apr 2003 12:59:02 +0200 (CEST)
	(envelope-from ajacoutot@lphp.org)
From: Antoine Jacoutot <ajacoutot@lphp.org>
To: freebsd-ipfw@freebsd.org
Date: Sun, 27 Apr 2003 12:59:02 +0200
User-Agent: KMail/1.5.1
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200304271259.02025.ajacoutot@lphp.org>
Subject: ipfw dynamic rule timeout
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Apr 2003 10:59:04 -0000

Hi !

I hope this is the right list for this, I couldn't get any answer from 
-questions.
I'm having a problem with ipfw and dynamic rules timeout.
For exemple, when I ssh to a distant machine, if I don't type anything for 
like 10 or 20 seconds, the connexion is dropped.
I read this in ipfw man page:

"Dynamic rules expire after some time, which depends on the status of the
flow and the setting of some sysctl variables.  See Section SYSCTL
VARIABLES for more details.  For TCP sessions, dynamic rules can be
instructed to periodically send keepalive packets to refresh the state of
the rule when it is about to expire."

So I tried to following command and got this output:
# sysctl -a | grep net.inet.ip.fw
net.inet.ip.fw.enable: 1
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.debug: 1
net.inet.ip.fw.verbose: 1
net.inet.ip.fw.verbose_limit: 500
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 168
net.inet.ip.fw.dyn_max: 4096
net.inet.ip.fw.static_count: 27
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_keepalive: 1

So, obviously, keepalive should work. Is there anything I should do besides 
setting net.inet.ip.fw.dyn_keepalive to 1 (which is the default value).
I'm running FreeBSD-4.8-RELEASE with IPFW2.

Thanks in advance.

Antoine