Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Apr 2001 10:56:38 -0600
From:      Lyndon Nerenberg <>
To:        Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: ipfw dynamic rulesets broken for me 
Message-ID:  <>
In-Reply-To: Your message of "Wed, 11 Apr 2001 23:31:16 PDT." <> 

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
>>>>> "Gregory" == Gregory Neil Shapiro <gshapiro@FreeBSD.ORG> writes:

    Gregory> I tried switching from using the established check to
    Gregory> keeping state and it isn't work as expected.  Dynamic
    Gregory> rules timeout on open connections (e.g., ssh connections
    Gregory> that I haven't used for about 10 minutes but are still
    Gregory> open).

ipfw has insanely short timeouts for the keep-state engine.
Add this to /etc/sysctl.conf (adjusted to a suitable value
for your network):

  # TCP connections time out after eight hours.


To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>