From owner-freebsd-ipfw@FreeBSD.ORG Thu May 1 15:30:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D43F37B401 for ; Thu, 1 May 2003 15:30:49 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-4-166.abo.wanadoo.fr [193.253.178.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 624F643FBD for ; Thu, 1 May 2003 15:30:47 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from srv01.lphp.org.local (localhost [127.0.0.1]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h41MUfQB074669; Fri, 2 May 2003 00:30:42 +0200 (CEST) (envelope-from ajacoutot@lphp.org) Received: (from www@localhost) by srv01.lphp.org.local (8.12.8p1/8.12.8/Submit) id h41MUexg074668; Fri, 2 May 2003 00:30:40 +0200 (CEST) (envelope-from ajacoutot@lphp.org) X-Authentication-Warning: srv01.lphp.org.local: www set sender to ajacoutot@lphp.org using -f Received: from sta01.lphp.org.local (sta01.lphp.org.local [192.168.0.4]) by webmail.lphp.org (IMP) with HTTP for ; Fri, 2 May 2003 00:30:40 +0200 Message-ID: <1051828240.3eb1a0107e282@webmail.lphp.org> Date: Fri, 2 May 2003 00:30:40 +0200 From: Antoine Jacoutot To: "" References: <000001c31015$c6c73ed0$0501a8c0@neptune> In-Reply-To: <000001c31015$c6c73ed0$0501a8c0@neptune> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.1 / FreeBSD-4.8 cc: freebsd-ipfw@freebsd.org Subject: RE: ipfw dynamic rule timeout --> find a solution, but needconfirmation X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 22:30:49 -0000 Selon C_Ahlers : > Here are my settings for one of my firewalls that is nearly identical to > your situation: > 1) FreeBSD 4.7-RELEASE + IPFW2 + Dynamic rules + natd > 2) net.inet.ip.fw.dyn_syn_lifetime=20 > 3) net.inet.ip.fw.dyn_ack_lifetime=300 > 4) net.inet.ip.fw.dyn_keepalive=1 > These settings are working just fine for me. > I am curious as to how you are determining that the dynamic rule are > timing-out prematurely. > Remember, just because keep-alive type packets are going back and forth > does not prevent a server application (that you are connected to) from > using some other mechanism to decide if the client is inactive, causing > the server to disconnect. Yes, I understand that. Since, it is kind of annoying because every 20 secconds, I get disconnected from ssh, newsgroup, and I can't get connected to MSN messenger more than those 20 seconds. If I set net.inet.ip.fw.dyn_syn_lifetime=300, it gets reset to 300 sec, 20 seconds before the end at the same moment net.inet.ip.fw.dyn_ack_lifetime gets reset... and everything workqs fine (MSN Messenger too). My concern was about setting net.inet.ip.fw.dyn_syn_lifetime, is it unsecure or so ? I am not expert enough to tell if it would be a bad idea or not. Thanks for your help. -- Antoine Jacoutot ajacoutot@lphp.org http://www.lphp.org "Unix is user friendly... It's just selective about who his friends are..."