Date: Tue, 29 Apr 2003 06:49:23 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: Antoine Jacoutot <ajacoutot@lphp.org> Cc: Bruno Afonso <brunomiguel@dequim.ist.utl.pt> Subject: Re: ipfw dynamic rule timeout Message-ID: <3EAE82E3.1080704@tenebras.com> In-Reply-To: <200304291543.47991.ajacoutot@lphp.org> References: <200304271259.02025.ajacoutot@lphp.org> <200304290038.59573.ajacoutot@lphp.org> <3EAE56E5.50208@dequim.ist.utl.pt> <200304291543.47991.ajacoutot@lphp.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Antoine Jacoutot wrote: > sysctl net.inet.ip.fw.dyn_syn_lifetime=300 > The default is 20, so it gives a little more time. But I still have problem > from time to time (clients behind the firewall get disconnected from an > internet news server after a while reading an article, web clients from the > internet to the web server get disconnected while reading mail from > webmail...). You're diddling the wrong MIB value. dyn_syn_lifetime is for half-open connections (three-way handshake not complete). It's dyn_ack_lifetime that you want to set. But if the problem is lack of keepalives, you could try net.inet.ip.fw.dyn_ack_lifetime=300 net.inet.tcp.always_keepalive=1 net.inet.tcp.keepidle=60000 net.inet.tcp.keepintvl=60000 net.inet.tcp.keepinit=60000 and make sure the firewall keepalive options are on.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EAE82E3.1080704>