From owner-freebsd-ipfw  Thu Apr 12 10: 1:47 2001
Delivered-To: freebsd-ipfw@freebsd.org
Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178])
	by hub.freebsd.org (Postfix) with ESMTP id 5CE3C37B43F
	for <freebsd-ipfw@FreeBSD.ORG>; Thu, 12 Apr 2001 10:01:45 -0700 (PDT)
	(envelope-from gshapiro@gshapiro.net)
Received: (from gshapiro@localhost)
	by horsey.gshapiro.net (8.12.0.Beta7/8.12.0.Beta7) id f3CH1iwP054922;
	Thu, 12 Apr 2001 10:01:44 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15061.57208.578708.358266@horsey.gshapiro.net>
Date: Thu, 12 Apr 2001 10:01:44 -0700
From: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>
To: Lyndon Nerenberg <lyndon@orthanc.ab.ca>
Cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: ipfw dynamic rulesets broken for me 
In-Reply-To: <200104121656.f3CGuci23431@orthanc.ab.ca>
References: <15061.19380.659608.578985@horsey.gshapiro.net>
	<200104121656.f3CGuci23431@orthanc.ab.ca>
X-Mailer: VM 6.91 under 21.2  (beta42) "Poseidon" XEmacs Lucid
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

lyndon> ipfw has insanely short timeouts for the keep-state engine.

A note to the ipfw maintainers, this should work out of the box so it's
less of a support hassle.

lyndon> Add this to /etc/sysctl.conf (adjusted to a suitable value
lyndon> for your network):

lyndon> # TCP connections time out after eight hours.
lyndon> net.inet.ip.fw.dyn_ack_lifetime=28800

Thanks, I'll give it a try and see if it solves all of the problems.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message