[IPFW] stateful session timeout

Roland Smith rsmith at xs4all.nl
Wed Jan 11 10:26:01 UTC 2017

On Tue, Jan 10, 2017 at 03:16:46PM +0100, Damien Fleuriot wrote:
> Hello list,

> We currently use PF on 8-STABLE and 10-STABLE boxes.
> I'm playing around a bit with ipfw and have not found a way to replicate
> PF's *per-rule* custom session lifetimes.
> Anyone's got anything on the subject ? ;)

Is this about dynamic rules? Because looking at ipfw(8) you can only set that
globally via the net.inet.ip.fw.dyn_* sysctls. From the manual:

     Dynamic rules expire after some time, which depends on the status of the
     flow and the setting of some sysctl variables.  See Section SYSCTL
     VARIABLES for more details.  For TCP sessions, dynamic rules can be
     instructed to periodically send keepalive packets to refresh the state of
     the rule when it is about to expire.

R.F.Smith                                   http://rsmith.home.xs4all.nl/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 5753 3324 1661 B0FE 8D93  FCED 40F6 D5DC A38A 33E0 (keyID: A38A33E0)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170111/48a68f7f/attachment-0001.sig>

More information about the freebsd-questions mailing list