As Larry Baird was suggesting in a private email, one way to
handle this problem  would be to have the firewall issue keepalives
to refresh the state. Unfortunately the connection can be alive
without any traffic flowing, and you cannot rely on keepalives on
both sides of the connection.

On the other hand, if you look at the sysctl variables, you see that
the timeout after a FIN becomes quite short so i think it is not
_that_ bad having much larger timeouts than the ones i set, because
properly closed connection will still make the rule expire very quickly.

Yes the timeouts could be made configurable on a per-rule basis,
at the price of some additional parameter in the  ipfw rules.
But i am not planning such a change at the moment.


> I am having a problem with ssh sessions from my windows box to my freebsd 
> box timing out after a number of idle minutes.  SecureCRT still shows a 
> valid connection until I try to type some keys, and then after a minute it 
> says "connecton reset".  I believe I have isolated the problem to the ipfw 
> firewall timing out the connection.  I am currently using dynamic rules 
> such as:
> add check-state
> add reset tcp from any to {myip} established
> add reset tcp from {myip} to any established
> add allow tcp from any to {myip} ssh setup keep-state
> The sysctl variable net.inet.ip.fw.dyn_ack_lifetime seems to be responsible 
> for this, but I only want to set a very large lifetime for things like 
> ssh.  Is it possible to disable automatic timeouts or make long timeouts on 
> a rule-by-rule basis?  Or perhaps a way to keep the dynamic rule alive as 
> long as the connection is alive?
  Luigi RIZZO, [EMAIL PROTECTED]  . Dip. di Ing. dell'Informazione  . Universita` di Pisa
  TEL/FAX: +39-050-568.533/522     . via Diotisalvi 2, 56126 PISA (Italy)
  Mobile   +39-347-0373137

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message

Reply via email to