From owner-freebsd-security Mon Aug 6 16: 6:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (Postfix) with ESMTP id 04BC237B443 for ; Mon, 6 Aug 2001 16:06:05 -0700 (PDT) (envelope-from agifford@infowest.com) Received: from eq.net (eq.net [208.186.104.163]) by ns1.infowest.com (Postfix) with SMTP id 836B9211DE for ; Mon, 6 Aug 2001 17:06:00 -0600 (MDT) Content-Type: text/plain; charset="iso-8859-1" From: Aaron D.Gifford To: freebsd-security@freebsd.org Subject: Re: ssh keepalive and dynamic rules Date: Mon, 6 Aug 2001 17:06:00 -0600 X-Mailer: KMail [version 1.2] Organization: InfoWest, Inc. MIME-Version: 1.0 Message-Id: <01080617060001.31114@eq.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >On 08/06/2001 at 09:28:32 Fernando Schapachnik wrote: > >Hello, > On a bridging firewall using ipfw I noticed that ssh >conections get hung after an inactivity period. > > On some tests, tcpdumping the connection between two FreeBSD >machines, both client and server with ssh "KeepAlive yes", I don't >see any kind of keep alive traffic. > > dyn_ack timeout could be raised, but doesn't seem a proper >solution. > > Any ideas on why ssh is not sending keepalive packets? > > Thanks! > > >Fernando P. Schapachnik >Planificación de red y tecnología >VIA NET.WORKS ARGENTINA S.A. <> An alternative is to use a patch to ipfw that lets you override the dyn_ack timeout on a per-rule basis. For example: ...ipfw rules here... ipfw add check-state ...ipfw rules here... # Give SSH TCP sessions (port 22) a 4-hour dynamic rule lifetime: ipfw add pass tcp from any to me 22 in setup keep-state lifetime 7200 ...ipfw rules here... I've posted my patch to add this functionality to ipfw to various lists before. I also submitted it as a PR in hopes that the ipfw maintainer would incorporate the feature into ipfw, but the maintainer (as I understand it) doesn't think per-rule lifetime control is a valuable feature (I believe he recommends just setting the global dyn_ack sysctl setting large enough). If enough people actually find this feature useful, I would hope the maintainer could be persuaded to change his mind. For more information, or to get a copy of the patch, check out the following still-open PR (it contains both the patch, the maintainer's reasoning, and my response): http://www.freebsd.org/cgi/query-pr.cgi?pr=28713 Or visit my personal web site where copies of the patch can be downloaded: http://www.aarongifford.com/computers/ipfwpatch.html As always, I'm interested in hearing from anyone who uses the patch. Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message