Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 4 Aug 2002 01:19:00 +0000
From:      Philip Reynolds <>
Subject:   Re: timeout
Message-ID:  <>
In-Reply-To: <>; from on Sat, Aug 03, 2002 at 05:06:12PM +0200
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
eberkut <> 28 lines of wisdom included:
<snip lifetime patch>

I can't comment on this obviously.

> Also there is a type of timeout features which could be
> useful both for security or state track tuning, those similar
> to Cisco's CBAC global timeouts or the pf.conf's set timeout
> options (see
> r_c/scprt3/scdcbac.htm#xtocid27
> and pf.conf(5) readable on Specially, CBAC
> does a great work against syn flood & co. Some options may
> also be useful against scan. And one can use state timeout
> to agressively drop unresponsive/congested/slow connections.
> just a few feature suggestions ;)

Without reading the detailed description of CBAC, from what you
mention there aren't, the sysctl variables:

- net.inet.ip.fw.dyn_ack_lifetime
- net.inet.ip.fw.dyn_syn_lifetime
etc. etc.

What you're looking for?

Philip Reynolds                  | Technical Director  | RFC Networks Ltd.       | +353 (0)1 8832063

To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>