Date: Tue, 10 Apr 2001 14:14:57 -0500 From: David Kelly <dkelly@hiwaay.net> To: Trevin Chow <tmchow@sfu.ca> Cc: questions@FreeBSD.ORG Subject: Re: Firewall rules causing SSH disconects? Message-ID: <20010410141457.A8255@grumpy.dyndns.org> In-Reply-To: <Pine.GSO.4.30.0104092140290.3437-100000@fraser.sfu.ca>; from tmchow@sfu.ca on Mon, Apr 09, 2001 at 09:43:01PM -0700 References: <Pine.GSO.4.30.0104092140290.3437-100000@fraser.sfu.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 09, 2001 at 09:43:01PM -0700, Trevin Chow wrote: > Hi everyone, > > I'm just wondering what possible firewall rules (if any) could cause > problems with random SSH disconnections. I'm trying to troubleshoot my > situation here, and I'm unsure if it has to do with failing routers on the > internet somewhere, or my own configuration. > > The situatino is basically that I'm able to connect via SSH to my box > remotely, but I'll get disconnected after a varying amount of time. > > Is it possible that a firewall rule is causing this? I wouldn't think > so..but I could be wrong. Anyone else have any ideas about this? someone > else mentioned to try turning "KeepAlive" to off to see what happens, but > that didn't solve anything. Ascend/Lucent Pipelines have a brain dead method of pruning their connection state tables. The default is once every 24 hours but once the max (~500) its terribly hard to get out because its not smart enough to delete the oldest to make room for new. And it doesn't appear to be smart enough to drop the state on close. We usually discovered this limit in 12 to 18 hours of runtime so I set the purge at 2 hours. Works for most everyone but if I don't keep my ssh link fairly busy the connection is dropped by the firewall. Then again this might have more to do with NAT in the Pipeline than firewall altho the two are hard to tell apart. So this might be what is happening to you too if there is a Lucent SecureConnect Firewall between endpoints. Playing with keep-state and check-state in ipfw I found the default timer values to be way too fast. Only played with it for about an hour but observed connection states were dropped when netstat said the socket was still open, and my applications were crying because they too were upset about their connections failing. Maybe I wrote the ipfw rule(s) wrong. Used a simple "allow all outgoing tcp connection from this host to any and keep-state". Maybe it was keeping state of "connection in progress" when I intended only the act of connecting was allowed to establish a pass rule between two hosts. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010410141457.A8255>