ipfw dynamic rule timeout --> find a solution, but
needconfirmation
Antoine Jacoutot
ajacoutot at lphp.org
Thu May 1 15:30:49 PDT 2003
Selon C_Ahlers <freebsd at code-space.com>:
> Here are my settings for one of my firewalls that is nearly identical to
> your situation:
> 1) FreeBSD 4.7-RELEASE + IPFW2 + Dynamic rules + natd
> 2) net.inet.ip.fw.dyn_syn_lifetime=20
> 3) net.inet.ip.fw.dyn_ack_lifetime=300
> 4) net.inet.ip.fw.dyn_keepalive=1
> These settings are working just fine for me.
> I am curious as to how you are determining that the dynamic rule are
> timing-out prematurely.
> Remember, just because keep-alive type packets are going back and forth
> does not prevent a server application (that you are connected to) from
> using some other mechanism to decide if the client is inactive, causing
> the server to disconnect.
Yes, I understand that. Since, it is kind of annoying because every 20 secconds,
I get disconnected from ssh, newsgroup, and I can't get connected to MSN
messenger more than those 20 seconds.
If I set net.inet.ip.fw.dyn_syn_lifetime=300, it gets reset to 300 sec, 20
seconds before the end at the same moment net.inet.ip.fw.dyn_ack_lifetime gets
reset... and everything workqs fine (MSN Messenger too).
My concern was about setting net.inet.ip.fw.dyn_syn_lifetime, is it unsecure or
so ? I am not expert enough to tell if it would be a bad idea or not.
Thanks for your help.
--
Antoine Jacoutot
ajacoutot at lphp.org
http://www.lphp.org
"Unix is user friendly... It's just selective about who his friends are..."
More information about the freebsd-ipfw
mailing list