Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 29 Apr 2003 16:16:52 +0200
From:      Antoine Jacoutot <ajacoutot@lphp.org>
To:        Michael Sierchio <kudzu@tenebras.com>
Cc:        Bruno Afonso <brunomiguel@dequim.ist.utl.pt>
Subject:   Re: ipfw dynamic rule timeout
Message-ID:  <200304291616.52730.ajacoutot@lphp.org>
In-Reply-To: <3EAE82E3.1080704@tenebras.com>
References:  <200304271259.02025.ajacoutot@lphp.org> <200304291543.47991.ajacoutot@lphp.org> <3EAE82E3.1080704@tenebras.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Tuesday 29 April 2003 15:49, Michael Sierchio wrote:
> Antoine Jacoutot wrote:
> > sysctl net.inet.ip.fw.dyn_syn_lifetime=300
> > The default is 20, so it gives a little more time. But I still have
> > problem from time to time (clients behind the firewall get disconnected
> > from an internet news server after a while reading an article, web
> > clients from the internet to the web server get disconnected while
> > reading mail from webmail...).
>
> You're diddling the wrong MIB value.  dyn_syn_lifetime is for
> half-open connections (three-way handshake not complete).
> It's dyn_ack_lifetime that you want to set.  But if the problem
> is lack of keepalives, you could try

Yes, but strangely, it works.
The dyn_ack_lifetime is at 300 by default, so I don't think I need top change 
that.
Here are the default values on my system (I didn't touch any value, and it 
looks similar to the ones you suggested except some values are even bigger):

net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.tcp.always_keepalive: 1
net.inet.tcp.keepidle: 7200000
net.inet.tcp.keepintvl: 75000
net.inet.tcp.keepinit: 75000

> and make sure the firewall keepalive options are on.

You mean:
net.inet.ip.fw.dyn_keepalive: 1

Antoine
ps: do you need more informations, like my IPFW ruleset or so ?



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?200304291616.52730.ajacoutot>