Luigi Rizzo wrote: > yes the numbers should be the expire time for the rule.
So, the total time the connection was active or the time the connection had some traffic through it? > ipfw has a default timeout of 300, and the it only uses the > "short" lifetimes when the remote end properly closes the > connection with a FIN. If it doesn't, then the firewall > cannot put a short timeout because the other endpoint > could in principle want to send more data on the connection > and we need to let it through. Hmm. There are several dynamic rules with large expire times - could it mean that a lot of clients are not properly closing the connection? If I set net.inet.ip.fw.dyn_ack_lifetime to a small-ish value (like 15 seconds), will it interfere with long-lasting downloads or slow clients? Would it do anything to the server application? (e.g. close its side of the connection so the application doesn't keep the socket open for such a long time)
signature.asc
Description: OpenPGP digital signature
