Date: Mon, 6 Aug 2001 17:06:00 -0600 From: Aaron D.Gifford <agifford@infowest.com> To: freebsd-security@freebsd.org Subject: Re: ssh keepalive and dynamic rules Message-ID: <01080617060001.31114@eq.net>
next in thread | raw e-mail | index | archive | help
>On 08/06/2001 at 09:28:32 Fernando Schapachnik wrote: > >Hello, > On a bridging firewall using ipfw I noticed that ssh >conections get hung after an inactivity period. > > On some tests, tcpdumping the connection between two FreeBSD >machines, both client and server with ssh "KeepAlive yes", I don't >see any kind of keep alive traffic. > > dyn_ack timeout could be raised, but doesn't seem a proper >solution. > > Any ideas on why ssh is not sending keepalive packets? > > Thanks! > > >Fernando P. Schapachnik >Planificación de red y tecnología >VIA NET.WORKS ARGENTINA S.A. <<snip>> An alternative is to use a patch to ipfw that lets you override the dyn_ack timeout on a per-rule basis. For example: ...ipfw rules here... ipfw add check-state ...ipfw rules here... # Give SSH TCP sessions (port 22) a 4-hour dynamic rule lifetime: ipfw add pass tcp from any to me 22 in setup keep-state lifetime 7200 ...ipfw rules here... I've posted my patch to add this functionality to ipfw to various lists before. I also submitted it as a PR in hopes that the ipfw maintainer would incorporate the feature into ipfw, but the maintainer (as I understand it) doesn't think per-rule lifetime control is a valuable feature (I believe he recommends just setting the global dyn_ack sysctl setting large enough). If enough people actually find this feature useful, I would hope the maintainer could be persuaded to change his mind. For more information, or to get a copy of the patch, check out the following still-open PR (it contains both the patch, the maintainer's reasoning, and my response): http://www.freebsd.org/cgi/query-pr.cgi?pr=28713 Or visit my personal web site where copies of the patch can be downloaded: http://www.aarongifford.com/computers/ipfwpatch.html As always, I'm interested in hearing from anyone who uses the patch. Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01080617060001.31114>