[IPFW] stateful session timeout
Roland Smith
rsmith at xs4all.nl
Wed Jan 11 10:26:01 UTC 2017
On Tue, Jan 10, 2017 at 03:16:46PM +0100, Damien Fleuriot wrote:
> Hello list,
> We currently use PF on 8-STABLE and 10-STABLE boxes.
>
> I'm playing around a bit with ipfw and have not found a way to replicate
> PF's *per-rule* custom session lifetimes.
>
> Anyone's got anything on the subject ? ;)
Is this about dynamic rules? Because looking at ipfw(8) you can only set that
globally via the net.inet.ip.fw.dyn_* sysctls. From the manual:
Dynamic rules expire after some time, which depends on the status of the
flow and the setting of some sysctl variables. See Section SYSCTL
VARIABLES for more details. For TCP sessions, dynamic rules can be
instructed to periodically send keepalive packets to refresh the state of
the rule when it is about to expire.
Roland
--
R.F.Smith http://rsmith.home.xs4all.nl/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 5753 3324 1661 B0FE 8D93 FCED 40F6 D5DC A38A 33E0 (keyID: A38A33E0)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170111/48a68f7f/attachment-0001.sig>
More information about the freebsd-questions
mailing list