Re: Unexpected keep state behaviour in ipfw
From: Peter Jeremy (peter.jeremy@alcatel.com.au)
Date: 09/17/02
- Next message: dfolkins: "Re: Unexpected keep state behaviour in ipfw"
- Previous message: Miroslav Pendev: "Re: asmtp 587 - quickie faq submission"
- In reply to: dfolkins: "Re: Unexpected keep state behaviour in ipfw"
- Next in thread: dfolkins: "Re: Unexpected keep state behaviour in ipfw"
- Reply: dfolkins: "Re: Unexpected keep state behaviour in ipfw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 18 Sep 2002 07:00:04 +1000 From: Peter Jeremy <peter.jeremy@alcatel.com.au> To: dfolkins <dfolkins@comcast.net>
On 2002-Sep-17 02:55:36 -0400, dfolkins <dfolkins@comcast.net> wrote:
>first, your "idle time" for standard tcp connections is controlled by a
>sysctl variable named net.inet.ip.fw.dyn_ack_lifetime. if it is set too
>short (default is 300 seconds, i think) you can always just reset it to a
>longer value, either from command prompt or from sysctl.conf. just set it
>to a number you think appropriate for idle established connections to
>remain
>active. e.g. if you want your idle ftp connections to stay alive for 10
>minutes, set that variable to 600. there are a bunch of related variables.
>to see them all just do a "sysctl -a |grep dyn".
net.inet.ip.fw.dyn_ack_lifetime is a tradeoff between keeping active
connections alive and minimising the impact of massive numbers of
dynamic rules. I also feel that 300 seconds is too short (note that
IPFilter uses 120 hours, which I think is far too long). My problem
is that the connections are being dropped after less than
net.inet.ip.fw.dyn_ack_lifetime seconds of idle time. I have tried
juggling net.inet.tcp.keepidle, net.inet.tcp.keepintvl and
net.inet.ip.fw.dyn_ack_lifetime so that the latter is longer than
the former (in ipfw) and this still didn't work. It would appear
that the dynamic rule timers are never being reset.
>as to why your ssh connection stays alive even through the night - i
>suspect that is because your ssh server on your firewall has a
>configuration setting that makes it send keep-alives, i.e. your
>clientaliveinterval in sshd_config is set to some value which is less
>than your net.inet.ip.fw.dyn_ack_lifetime value.
Nope. I'm using the default ClientAliveInterval value (ie disabled).
Based on comments in another thread here, I suspect the underlying
problem is that ipfw dynamic rules don't work with ipnat. (Though
I don't understand why - ipnat should be invisible to ipfw). My
ssh connectins remain working courtesy of either normal or ipfw2
keepalives (since that connection isn't NAT'd).
Peter
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: dfolkins: "Re: Unexpected keep state behaviour in ipfw"
- Previous message: Miroslav Pendev: "Re: asmtp 587 - quickie faq submission"
- In reply to: dfolkins: "Re: Unexpected keep state behaviour in ipfw"
- Next in thread: dfolkins: "Re: Unexpected keep state behaviour in ipfw"
- Reply: dfolkins: "Re: Unexpected keep state behaviour in ipfw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
