ipfw dynamic rule timeout
Michael Sierchio
kudzu at tenebras.com
Tue Apr 29 06:49:30 PDT 2003
Antoine Jacoutot wrote:
> sysctl net.inet.ip.fw.dyn_syn_lifetime=300
> The default is 20, so it gives a little more time. But I still have problem
> from time to time (clients behind the firewall get disconnected from an
> internet news server after a while reading an article, web clients from the
> internet to the web server get disconnected while reading mail from
> webmail...).
You're diddling the wrong MIB value. dyn_syn_lifetime is for
half-open connections (three-way handshake not complete).
It's dyn_ack_lifetime that you want to set. But if the problem
is lack of keepalives, you could try
net.inet.ip.fw.dyn_ack_lifetime=300
net.inet.tcp.always_keepalive=1
net.inet.tcp.keepidle=60000
net.inet.tcp.keepintvl=60000
net.inet.tcp.keepinit=60000
and make sure the firewall keepalive options are on.
More information about the freebsd-ipfw
mailing list