Date: Thu, 12 Apr 2001 10:56:38 -0600 From: Lyndon Nerenberg <lyndon@orthanc.ab.ca> To: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw dynamic rulesets broken for me Message-ID: <200104121656.f3CGuci23431@orthanc.ab.ca> In-Reply-To: Your message of "Wed, 11 Apr 2001 23:31:16 PDT." <15061.19380.659608.578985@horsey.gshapiro.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Gregory" == Gregory Neil Shapiro <gshapiro@FreeBSD.ORG> writes:
Gregory> I tried switching from using the established check to
Gregory> keeping state and it isn't work as expected. Dynamic
Gregory> rules timeout on open connections (e.g., ssh connections
Gregory> that I haven't used for about 10 minutes but are still
Gregory> open).
ipfw has insanely short timeouts for the keep-state engine.
Add this to /etc/sysctl.conf (adjusted to a suitable value
for your network):
# TCP connections time out after eight hours.
net.inet.ip.fw.dyn_ack_lifetime=28800
--lyndon
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104121656.f3CGuci23431>