Re: Unexpected keep state behaviour in ipfw

From: Peter Jeremy (peter.jeremy@alcatel.com.au)
Date: 09/17/02


Date: Wed, 18 Sep 2002 07:00:04 +1000
From: Peter Jeremy <peter.jeremy@alcatel.com.au>
To: dfolkins <dfolkins@comcast.net>

On 2002-Sep-17 02:55:36 -0400, dfolkins <dfolkins@comcast.net> wrote:
>first, your "idle time" for standard tcp connections is controlled by a
>sysctl variable named net.inet.ip.fw.dyn_ack_lifetime. if it is set too
>short (default is 300 seconds, i think) you can always just reset it to a
>longer value, either from command prompt or from sysctl.conf. just set it
>to a number you think appropriate for idle established connections to
>remain
>active. e.g. if you want your idle ftp connections to stay alive for 10
>minutes, set that variable to 600. there are a bunch of related variables.
>to see them all just do a "sysctl -a |grep dyn".

net.inet.ip.fw.dyn_ack_lifetime is a tradeoff between keeping active
connections alive and minimising the impact of massive numbers of
dynamic rules. I also feel that 300 seconds is too short (note that
IPFilter uses 120 hours, which I think is far too long). My problem
is that the connections are being dropped after less than
net.inet.ip.fw.dyn_ack_lifetime seconds of idle time. I have tried
juggling net.inet.tcp.keepidle, net.inet.tcp.keepintvl and
net.inet.ip.fw.dyn_ack_lifetime so that the latter is longer than
the former (in ipfw) and this still didn't work. It would appear
that the dynamic rule timers are never being reset.

>as to why your ssh connection stays alive even through the night - i
>suspect that is because your ssh server on your firewall has a
>configuration setting that makes it send keep-alives, i.e. your
>clientaliveinterval in sshd_config is set to some value which is less
>than your net.inet.ip.fw.dyn_ack_lifetime value.

Nope. I'm using the default ClientAliveInterval value (ie disabled).

Based on comments in another thread here, I suspect the underlying
problem is that ipfw dynamic rules don't work with ipnat. (Though
I don't understand why - ipnat should be invisible to ipfw). My
ssh connectins remain working courtesy of either normal or ipfw2
keepalives (since that connection isn't NAT'd).

Peter

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: Unexpected keep state behaviour in ipfw
    ... > is that the connections are being dropped after less than ... > problem is that ipfw dynamic rules don't work with ipnat. ... > I don't understand why - ipnat should be invisible to ipfw). ...
    (FreeBSD-Security)
  • Re: Monitoring idle time of TCP connections
    ... to determine the maximum idle time for all connections. ... If you can "force" all connections to have TCP keepalives enabled, ...
    (comp.os.linux.networking)
  • RE: Interupted downloads also MS Office 2003 Update & XP SP2 probl
    ... > ISP, Properties, Options, and there was the Idle Time box. ... > download SPS2, ... >> because of internet interupted connections. ...
    (microsoft.public.windowsupdate)
  • Re: reset IPC$ number
    ... Would reducint the idle time before a disconnect help? ... NET CONFIG SERVER /AUTODISCONNECT:2 ... computer management, shared folders, shares on an XP machine? ... My goal is to reduce the number of client connections. ...
    (microsoft.public.windowsxp.general)
  • Re: the opposite of DCD (dead connection detection)??
    ... I've checked profiles and resource plans to see if any have a ... limit on idle time and there are none. ... connections that were coming in from another server but that isn't the ... on AIX so can't comment further. ...
    (comp.databases.oracle.server)