From owner-freebsd-current@freebsd.org Fri May 20 13:28:45 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52564B4347A for ; Fri, 20 May 2016 13:28:45 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from smtp.rlwinm.de (smtp.rlwinm.de [148.251.233.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1C54E1BF4 for ; Fri, 20 May 2016 13:28:44 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from crest.local (unknown [87.253.189.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.rlwinm.de (Postfix) with ESMTPSA id 8A52D11370 for ; Fri, 20 May 2016 15:28:36 +0200 (CEST) Subject: Re: CURRENT: ipfw: problems with timeouts and worse network performance To: freebsd-current@freebsd.org References: <20160520140152.3ab6fe44@hermann> <20160520125401.GC2371@vzakharov> From: Jan Bramkamp Message-ID: <38888426-4d91-56ed-9ab3-0d516b0b8d46@rlwinm.de> Date: Fri, 20 May 2016 15:28:35 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <20160520125401.GC2371@vzakharov> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2016 13:28:45 -0000 On 20/05/16 14:54, Vladimir Zakharov wrote: > Hello > > On Fri, May 20, 2016, O. Hartmann wrote: >> I reported earlier about broken pipes in ssh sessions to remote hosts, >> which occur on an erratic basis. i'm investigating this problem now and >> it seems that it is also ipfw-related, but I'm not sure. This problem >> is present since a couple of weeks now. > > Maybe this could help... > > I've also experienced problems with broken pipes in ssh sessions some > time ago. Setting in sysctl.conf > > net.inet.ip.fw.dyn_ack_lifetime=3600 > > fixed problem for me. I didn't experiment with the value though. So, > possibly, changing default value (300s) to 1 hour is overkill :). By default the OpenSSH SSH client is configured to use TCP keepalives. Those should produce enough packets at a short enough interval to keep the dynamic IPFW state established. Does your traffic pass through libalias?