Understanding ipfw keep-state dynamic rules

[Ivan Voras]

Luigi Rizzo wrote:

> yes the numbers should be the expire time for the rule.

So, the total time the connection was active or the time the connection
had some traffic through it?

> ipfw has a default timeout of 300, and the it only uses the
> "short" lifetimes when the remote end properly closes the
> connection with a FIN. If it doesn't, then the firewall
> cannot put a short timeout because the other endpoint
> could in principle want to send more data on the connection
> and we need to let it through.

Hmm. There are several dynamic rules with large expire times - could it
mean that a lot of clients are not properly closing the connection?

If I set net.inet.ip.fw.dyn_ack_lifetime to a small-ish value (like 15
seconds), will it interfere with long-lasting downloads or slow clients?

Would it do anything to the server application? (e.g. close its side of
the connection so the application doesn't keep the socket open for such
a long time)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20070415/9e5802f0/signature.pgp