From owner-freebsd-net@FreeBSD.ORG  Sat Aug 12 01:32:58 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 02E0516A4DA
	for <freebsd-net@freebsd.org>; Sat, 12 Aug 2006 01:32:58 +0000 (UTC)
	(envelope-from silby@silby.com)
Received: from relay00.pair.com (relay00.pair.com [209.68.5.9])
	by mx1.FreeBSD.org (Postfix) with SMTP id 832F843D49
	for <freebsd-net@freebsd.org>; Sat, 12 Aug 2006 01:32:57 +0000 (GMT)
	(envelope-from silby@silby.com)
Received: (qmail 99132 invoked from network); 12 Aug 2006 01:32:56 -0000
Received: from unknown (HELO localhost) (unknown)
	by unknown with SMTP; 12 Aug 2006 01:32:56 -0000
X-pair-Authenticated: 209.68.2.70
Date: Fri, 11 Aug 2006 20:33:27 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Simon Walton <simonw@matteworld.com>
In-Reply-To: <44DD1909.40703@matteworld.com>
Message-ID: <20060811203041.E44075@odysseus.silby.com>
References: <44DD1909.40703@matteworld.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-net@freebsd.org
Subject: Re: Long keepidle time
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Aug 2006 01:32:58 -0000


On Fri, 11 Aug 2006, Simon Walton wrote:

>  Is there any reason why the default initial timeout for keep alive
> packets needs to be as long as two hours? This period causes the dynamic 
> rules in my firewall filter to timeout.
>
>  Is there a major objection to reducing the default idle time to
> say 3 to 5 minutes?
>
> Simon Walton

On reason behind a 2 hour keepalive is so that you don't have a 2 minute 
network outage that causes all your connections to timeout.

Of course, as you point out, in the modern age of firewalls, more frequent 
keepalives can be a good thing.

I don't forsee us changing FreeBSD's default keepalive setting, but you're 
more than welcome to change the setting on your own system.

Also note that ipfw2 sends keepalive packets on its own, maybe you could 
switch to it and/or add that functionality to your favorite firewall 
package. :)

Mike "Silby" Silbersack