From owner-freebsd-ipfw@FreeBSD.ORG  Tue Apr 29 06:49:29 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CCAA337B416
	for <freebsd-ipfw@freebsd.org>; Tue, 29 Apr 2003 06:49:29 -0700 (PDT)
Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18])
	by mx1.FreeBSD.org (Postfix) with SMTP id 0DE9B43FAF
	for <freebsd-ipfw@freebsd.org>; Tue, 29 Apr 2003 06:49:25 -0700 (PDT)
	(envelope-from kudzu@tenebras.com)
Received: (qmail 60383 invoked from network); 29 Apr 2003 13:49:23 -0000
Received: from queequeg.tenebras.com (HELO tenebras.com) (192.168.188.241)
  by 0 with SMTP; 29 Apr 2003 13:49:23 -0000
Message-ID: <3EAE82E3.1080704@tenebras.com>
Date: Tue, 29 Apr 2003 06:49:23 -0700
From: Michael Sierchio <kudzu@tenebras.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3) Gecko/20030312
X-Accept-Language: en-us, en, zh-cn, zh-tw
MIME-Version: 1.0
To: Antoine Jacoutot <ajacoutot@lphp.org>
References: <200304271259.02025.ajacoutot@lphp.org>
	<200304290038.59573.ajacoutot@lphp.org> <3EAE56E5.50208@dequim.ist.utl.pt>
	<200304291543.47991.ajacoutot@lphp.org>
In-Reply-To: <200304291543.47991.ajacoutot@lphp.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-ipfw@freebsd.org
cc: Bruno Afonso <brunomiguel@dequim.ist.utl.pt>
Subject: Re: ipfw dynamic rule timeout
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2003 13:49:30 -0000

Antoine Jacoutot wrote:

> sysctl net.inet.ip.fw.dyn_syn_lifetime=300
> The default is 20, so it gives a little more time. But I still have problem 
> from time to time (clients behind the firewall get disconnected from an 
> internet news server after a while reading an article, web clients from the 
> internet to the web server get disconnected while reading mail from 
> webmail...).

You're diddling the wrong MIB value.  dyn_syn_lifetime is for
half-open connections (three-way handshake not complete).

It's dyn_ack_lifetime that you want to set.  But if the problem
is lack of keepalives, you could try

net.inet.ip.fw.dyn_ack_lifetime=300
net.inet.tcp.always_keepalive=1
net.inet.tcp.keepidle=60000
net.inet.tcp.keepintvl=60000
net.inet.tcp.keepinit=60000

and make sure the firewall keepalive options are on.