At 01:16 PM 3/31/00 -0600, you wrote:
>I am having a problem with ssh sessions from my windows box to my freebsd
>box timing out after a number of idle minutes. SecureCRT still shows a
>valid connection until I try to type some keys, and then after a minute it
>says "connecton reset". I believe I have isolated the problem to the ipfw
>firewall timing out the connection. I am currently using dynamic rules
>such as:
>
>add check-state
>add reset tcp from any to {myip} established
>add reset tcp from {myip} to any established
>add allow tcp from any to {myip} ssh setup keep-state
>
>The sysctl variable net.inet.ip.fw.dyn_ack_lifetime seems to be
>responsible for this, but I only want to set a very large lifetime for
>things like ssh. Is it possible to disable automatic timeouts or make
>long timeouts on a rule-by-rule basis? Or perhaps a way to keep the
>dynamic rule alive as long as the connection is alive?
I believe I may have found a solution. If I set net.inet.tcp.keepidle <
net.inet.ip.fw.dyn_ack_lifetime, this appears to work. The defaults for
these values are 2 hours and 5 minutes respectively. Would it be better to
set the keepidle to something small like 2.5 minutes or would it be better
to make the dyn_ack_lifetime big like 3 hours? Setting the keepalive small
seems the best solution, but what repercussions would there be? Why is it
two hours by default?
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
