From owner-freebsd-ipfw  Thu Jul 18 13:43:41 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 58A9A37B400
	for <ipfw@FreeBSD.ORG>; Thu, 18 Jul 2002 13:43:38 -0700 (PDT)
Received: from spin.web.net (spin.web.net [192.139.37.16])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F2DBF43E58
	for <ipfw@FreeBSD.ORG>; Thu, 18 Jul 2002 13:43:37 -0700 (PDT)
	(envelope-from rob@web.net)
Received: by spin.web.net (Postfix, from userid 1000)
	id 8005E12EBA3; Thu, 18 Jul 2002 16:43:28 -0400 (EDT)
Date: Thu, 18 Jul 2002 16:43:28 -0400
From: Rob Ellis <rob@web.ca>
To: net@wsf.at
Cc: Didier Rwitura <drwitura@primus.ca>, ipfw@FreeBSD.ORG
Subject: Re: disconection
Message-ID: <20020718204328.GQ40395@web.ca>
References: <005f01c22e83$e19188c0$b0120a0a@primustel.ca> <200207181841.g6IIfmY09684@www.wsf.at>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200207181841.g6IIfmY09684@www.wsf.at>
User-Agent: Mutt/1.3.28i
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

an alternative to ssh KeepAlive is to use protocol 2 with
ClientAliveInterval and ClientAliveCountMax set. (see
sshd man page).

- rob

> 
> Regarding your original problem, there are 3 options:
> 1) Configure ipfw to pass traffic to/from 22 without using 
> 'keep-state', replace 300 with:
> add 00200 allow tcp from 216.254.136.110 to me ssh
> add 00201 allow tcp from me 22 to 216.254.136.110
> (replace '216.254...' with 'any' if you want to connect from anywhere
> but check your version of sshd first! )
> 
> 2) increase the lifetime of the temporary rules created by 
> 'keep-state'. See 'man ipfw, search for 'SYSCTL', see
> 'net.inet.ip.fw.dyn_ack_lifetime'.
> 
> 3) Configure sshd and/or your ssh-client to use keepalives.
> 
> HTH
> 
> Thomas
> 
> P.S.: Please don't top-post, it makes it much more difficult 
> to follow the thread.
> 
> 
> 
> 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message