Date: Fri, 2 May 2003 00:30:40 +0200 From: Antoine Jacoutot <ajacoutot@lphp.org> To: "" <freebsd@code-space.com> Cc: freebsd-ipfw@freebsd.org Subject: RE: ipfw dynamic rule timeout --> find a solution, but needconfirmation Message-ID: <1051828240.3eb1a0107e282@webmail.lphp.org> In-Reply-To: <000001c31015$c6c73ed0$0501a8c0@neptune> References: <000001c31015$c6c73ed0$0501a8c0@neptune>
next in thread | previous in thread | raw e-mail | index | archive | help
Selon C_Ahlers <freebsd@code-space.com>: > Here are my settings for one of my firewalls that is nearly identical to > your situation: > 1) FreeBSD 4.7-RELEASE + IPFW2 + Dynamic rules + natd > 2) net.inet.ip.fw.dyn_syn_lifetime=20 > 3) net.inet.ip.fw.dyn_ack_lifetime=300 > 4) net.inet.ip.fw.dyn_keepalive=1 > These settings are working just fine for me. > I am curious as to how you are determining that the dynamic rule are > timing-out prematurely. > Remember, just because keep-alive type packets are going back and forth > does not prevent a server application (that you are connected to) from > using some other mechanism to decide if the client is inactive, causing > the server to disconnect. Yes, I understand that. Since, it is kind of annoying because every 20 secconds, I get disconnected from ssh, newsgroup, and I can't get connected to MSN messenger more than those 20 seconds. If I set net.inet.ip.fw.dyn_syn_lifetime=300, it gets reset to 300 sec, 20 seconds before the end at the same moment net.inet.ip.fw.dyn_ack_lifetime gets reset... and everything workqs fine (MSN Messenger too). My concern was about setting net.inet.ip.fw.dyn_syn_lifetime, is it unsecure or so ? I am not expert enough to tell if it would be a bad idea or not. Thanks for your help. -- Antoine Jacoutot ajacoutot@lphp.org http://www.lphp.org "Unix is user friendly... It's just selective about who his friends are..."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1051828240.3eb1a0107e282>