Skip site navigation (1)Skip section navigation (2)
Date:      Fri,  2 May 2003 00:30:40 +0200
From:      Antoine Jacoutot <ajacoutot@lphp.org>
To:        "" <freebsd@code-space.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   RE: ipfw dynamic rule timeout --> find a solution, but needconfirmation
Message-ID:  <1051828240.3eb1a0107e282@webmail.lphp.org>
In-Reply-To: <000001c31015$c6c73ed0$0501a8c0@neptune>
References:  <000001c31015$c6c73ed0$0501a8c0@neptune>

next in thread | previous in thread | raw e-mail | index | archive | help
Selon C_Ahlers <freebsd@code-space.com>:
> Here are my settings for one of my firewalls that is nearly identical to
> your situation:
> 1) FreeBSD 4.7-RELEASE + IPFW2 + Dynamic rules + natd
> 2) net.inet.ip.fw.dyn_syn_lifetime=20
> 3) net.inet.ip.fw.dyn_ack_lifetime=300
> 4) net.inet.ip.fw.dyn_keepalive=1  
> These settings are working just fine for me. 
> I am curious as to how you are determining that the dynamic rule are
> timing-out prematurely. 
> Remember, just because keep-alive type packets are going back and forth
> does not prevent a server application (that you are connected to) from
> using some other mechanism to decide if the client is inactive, causing
> the server to disconnect.

Yes, I understand that. Since, it is kind of annoying because every 20 secconds, 
I get disconnected from ssh, newsgroup, and I can't get connected to MSN 
messenger more than those 20 seconds.
If I set net.inet.ip.fw.dyn_syn_lifetime=300, it gets reset to 300 sec, 20 
seconds before the end at the same moment net.inet.ip.fw.dyn_ack_lifetime gets 
reset... and everything workqs fine (MSN Messenger too).
My concern was about setting net.inet.ip.fw.dyn_syn_lifetime, is it unsecure or 
so ? I am not expert enough to tell if it would be a bad idea or not.
Thanks for your help.

-- 
Antoine Jacoutot 
ajacoutot@lphp.org 
http://www.lphp.org 
"Unix is user friendly... It's just selective about who his friends are..." 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1051828240.3eb1a0107e282>