Skip site navigation (1)Skip section navigation (2)
Date:      Fri,  2 May 2003 00:30:40 +0200
From:      Antoine Jacoutot <>
To:        "" <>
Subject:   RE: ipfw dynamic rule timeout --> find a solution, but needconfirmation
Message-ID:  <>
In-Reply-To: <000001c31015$c6c73ed0$0501a8c0@neptune>
References:  <000001c31015$c6c73ed0$0501a8c0@neptune>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Selon C_Ahlers <>:
> Here are my settings for one of my firewalls that is nearly identical to
> your situation:
> 1) FreeBSD 4.7-RELEASE + IPFW2 + Dynamic rules + natd
> 2) net.inet.ip.fw.dyn_syn_lifetime=20
> 3) net.inet.ip.fw.dyn_ack_lifetime=300
> 4) net.inet.ip.fw.dyn_keepalive=1  
> These settings are working just fine for me. 
> I am curious as to how you are determining that the dynamic rule are
> timing-out prematurely. 
> Remember, just because keep-alive type packets are going back and forth
> does not prevent a server application (that you are connected to) from
> using some other mechanism to decide if the client is inactive, causing
> the server to disconnect.

Yes, I understand that. Since, it is kind of annoying because every 20 secconds, 
I get disconnected from ssh, newsgroup, and I can't get connected to MSN 
messenger more than those 20 seconds.
If I set net.inet.ip.fw.dyn_syn_lifetime=300, it gets reset to 300 sec, 20 
seconds before the end at the same moment net.inet.ip.fw.dyn_ack_lifetime gets 
reset... and everything workqs fine (MSN Messenger too).
My concern was about setting net.inet.ip.fw.dyn_syn_lifetime, is it unsecure or 
so ? I am not expert enough to tell if it would be a bad idea or not.
Thanks for your help.

Antoine Jacoutot 
"Unix is user friendly... It's just selective about who his friends are..." 

Want to link to this message? Use this URL: <>