Date: Tue, 10 Apr 2001 13:41:03 -0700 From: Trevin Chow <tmchow@sfu.ca> To: Roger Svenning <ros@switch.no> Cc: questions@FreeBSD.ORG Subject: Re: SV: Firewall rules causing SSH disconects? Message-ID: <5.0.2.1.2.20010410133946.025ead78@popserver.sfu.ca> In-Reply-To: <E13BBFD5DA06D411ADC600508BC25BF7144270@switch01.switch.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Roger, There isn't a conflicting IP from what I can tell.... With the firewall cutting off idle connections -- it's possible but I dont' think it's related. The reason I say this is because after it disconnects, I can't reconnect immediately as it just refused connections... it's as if my box is dead. I have to wait a few minutes to reconnect, but then I'm in the same trouble again. At 09:19 PM 4/10/2001 +0200, Roger Svenning wrote: >Hi > >Make sure you don't have any IP address conflicts on the network, either >involving your local machine or the server. > >This is just a long shot but it happened to me some weeks ago and it took me >days to figure out as the disconnects sometimes occured just seconds after I >connected and sometimes it took several hours. > >I've also had a problem with some dedicated firewalls that disconnects idle >connections after a given amount of time. > >-Roger > > > > -----Opprinnelig melding----- > > Fra: David Kelly [mailto:dkelly@hiwaay.net] > > Sendt: 10. april 2001 21:15 > > Til: Trevin Chow > > Kopi: questions@FreeBSD.ORG > > Emne: Re: Firewall rules causing SSH disconects? > > > > > > On Mon, Apr 09, 2001 at 09:43:01PM -0700, Trevin Chow wrote: > > > Hi everyone, > > > > > > I'm just wondering what possible firewall rules (if any) could cause > > > problems with random SSH disconnections. I'm trying to > > troubleshoot my > > > situation here, and I'm unsure if it has to do with failing > > routers on the > > > internet somewhere, or my own configuration. > > > > > > The situatino is basically that I'm able to connect via SSH > > to my box > > > remotely, but I'll get disconnected after a varying amount of time. > > > > > > Is it possible that a firewall rule is causing this? I > > wouldn't think > > > so..but I could be wrong. Anyone else have any ideas about > > this? someone > > > else mentioned to try turning "KeepAlive" to off to see > > what happens, but > > > that didn't solve anything. > > > > Ascend/Lucent Pipelines have a brain dead method of pruning their > > connection state tables. The default is once every 24 hours > > but once the > > max (~500) its terribly hard to get out because its not smart > > enough to > > delete the oldest to make room for new. And it doesn't appear to be > > smart enough to drop the state on close. We usually discovered this > > limit in 12 to 18 hours of runtime so I set the purge at 2 > > hours. Works > > for most everyone but if I don't keep my ssh link fairly busy the > > connection is dropped by the firewall. > > > > Then again this might have more to do with NAT in the Pipeline than > > firewall altho the two are hard to tell apart. > > > > So this might be what is happening to you too if there is a Lucent > > SecureConnect Firewall between endpoints. > > > > Playing with keep-state and check-state in ipfw I found the default > > timer values to be way too fast. Only played with it for about an hour > > but observed connection states were dropped when netstat said > > the socket > > was still open, and my applications were crying because they too were > > upset about their connections failing. > > > > Maybe I wrote the ipfw rule(s) wrong. Used a simple "allow > > all outgoing > > tcp connection from this host to any and keep-state". Maybe it was > > keeping state of "connection in progress" when I intended only the act > > of connecting was allowed to establish a pass rule between two hosts. > > > > -- > > David Kelly N4HHE, dkelly@hiwaay.net > > ===================================================================== > > The human mind ordinarily operates at only ten percent of its > > capacity -- the rest is overhead for the operating system. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.2.20010410133946.025ead78>