Date: Sun, 4 Aug 2002 12:13:25 +0200 From: "eberkut" <eberkut@minithins.net> To: <freebsd-ipfw@FreeBSD.ORG> Subject: RE: timeout Message-ID: <NGBBKNDGKLKPMMNHJJLEIELJCAAA.eberkut@minithins.net> In-Reply-To: <20020804011900.A1711@rfc-networks.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
yep, that may be useful for state table tuning against unresponsive/slow/congested connections, thank you. I suppose these sysctl variables apply to any entry in the state table, not just TCP ? btw, the set timeout options for pf are on the -current man pages. And for information, I join some configuration examples for the CBAC global timeouts. ! timeouts and thresholds ! time to wait for a connection to reach established state ip inspect tcp synwait-time 20 ! time the session will be still watched after detection of fin exchange ip inspect tcp finwait-time 10 ! TCP idle time (10min because of keepalive) ip inspect tcp idle-time 600 ! UDP idle time ip inspect udp idle-time 60 ! like fin-wait for dns name lookup ip inspect dns-timeout 5 ! half-open nb before start/stop deleting ip inspect max-incomplete high 400 ip inspect max-incomplete low number 300 ! half-open nb per minute start/stop deleting ip inspect one-minute high 200 ip inspect one-minute low 150 ! half-open nb to same dest and block time (minutes) ip inspect tcp max-incomplete host 50 block-time 15 > Without reading the detailed description of CBAC, from what you > mention there aren't, the sysctl variables: > > - net.inet.ip.fw.dyn_ack_lifetime > - net.inet.ip.fw.dyn_syn_lifetime > etc. etc. > > What you're looking for? > > -- > Philip Reynolds | Technical Director > philip.reynolds@rfc-networks.ie | RFC Networks Ltd. > http://www.rfc-networks.ie | +353 (0)1 8832063 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NGBBKNDGKLKPMMNHJJLEIELJCAAA.eberkut>