From owner-freebsd-ipfw  Thu Apr 12  9:56:41 2001
Delivered-To: freebsd-ipfw@freebsd.org
Received: from orthanc.ab.ca (orthanc.ab.ca [207.167.3.130])
	by hub.freebsd.org (Postfix) with ESMTP
	id C3D9A37B424; Thu, 12 Apr 2001 09:56:39 -0700 (PDT)
	(envelope-from lyndon@orthanc.ab.ca)
Received: from orthanc.ab.ca (localhost [127.0.0.1])
	by orthanc.ab.ca (8.11.2/8.11.2) with ESMTP id f3CGuci23431;
	Thu, 12 Apr 2001 10:56:38 -0600 (MDT)
	(envelope-from lyndon@orthanc.ab.ca)
Message-Id: <200104121656.f3CGuci23431@orthanc.ab.ca>
From: Lyndon Nerenberg <lyndon@orthanc.ab.ca>
Organization: The Frobozz Magic Homing Pigeon Company
To: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>
Cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: ipfw dynamic rulesets broken for me 
In-reply-to: Your message of "Wed, 11 Apr 2001 23:31:16 PDT."
             <15061.19380.659608.578985@horsey.gshapiro.net> 
Date: Thu, 12 Apr 2001 10:56:38 -0600
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

>>>>> "Gregory" == Gregory Neil Shapiro <gshapiro@FreeBSD.ORG> writes:

    Gregory> I tried switching from using the established check to
    Gregory> keeping state and it isn't work as expected.  Dynamic
    Gregory> rules timeout on open connections (e.g., ssh connections
    Gregory> that I haven't used for about 10 minutes but are still
    Gregory> open).

ipfw has insanely short timeouts for the keep-state engine.
Add this to /etc/sysctl.conf (adjusted to a suitable value
for your network):

  # TCP connections time out after eight hours.
  net.inet.ip.fw.dyn_ack_lifetime=28800

--lyndon

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message