From owner-freebsd-questions  Tue Apr 10 14: 0:40 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from priv-edtnes12-hme0.telusplanet.net (fepout4.telus.net [199.185.220.239])
	by hub.freebsd.org (Postfix) with ESMTP id B8AEA37B423
	for <questions@FreeBSD.ORG>; Tue, 10 Apr 2001 14:00:37 -0700 (PDT)
	(envelope-from tmchow@sfu.ca)
Received: from CRX.sfu.ca ([209.53.63.29])
          by priv-edtnes12-hme0.telusplanet.net
          (InterMail vM.4.01.03.10 201-229-121-110) with ESMTP
          id <20010410210034.MMZX982.priv-edtnes12-hme0.telusplanet.net@CRX.sfu.ca>;
          Tue, 10 Apr 2001 15:00:34 -0600
Message-Id: <5.0.2.1.2.20010410134314.02603bf8@popserver.sfu.ca>
X-Sender: tmchow@popserver.sfu.ca
X-Mailer: QUALCOMM Windows Eudora Version 5.0.2
Date: Tue, 10 Apr 2001 14:06:00 -0700
To: David Kelly <dkelly@hiwaay.net>
From: Trevin Chow <tmchow@sfu.ca>
Subject: Re: Firewall rules causing SSH disconects?
Cc: questions@FreeBSD.ORG
In-Reply-To: <20010410141457.A8255@grumpy.dyndns.org>
References: <Pine.GSO.4.30.0104092140290.3437-100000@fraser.sfu.ca>
 <Pine.GSO.4.30.0104092140290.3437-100000@fraser.sfu.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

At 02:14 PM 4/10/2001 -0500, David Kelly wrote:
<snip>
>Then again this might have more to do with NAT in the Pipeline than
>firewall altho the two are hard to tell apart.
><snip>
>Playing with keep-state and check-state in ipfw I found the default
>timer values to be way too fast. Only played with it for about an hour
>but observed connection states were dropped when netstat said the socket
>was still open, and my applications were crying because they too were
>upset about their connections failing.
>
>Maybe I wrote the ipfw rule(s) wrong. Used a simple "allow all outgoing
>tcp connection from this host to any and keep-state". Maybe it was
>keeping state of "connection in progress" when I intended only the act
>of connecting was allowed to establish a pass rule between two hosts.

I've used 2 different versions of firewall rules. One was just a simple 
ruleset filtering out very little, and the one I'm trying now uses some 
"keep-state" rules from an article i read on BSDToday 
(http://www.bsdtoday.com/2000/December/Features359.html).  However, I seem 
to be getting the same behaviour on both sets of rules.  I'm going to try 
just an completely open firewall and see if I get the same behaviour.

I guess this begs the question: What would cause a firewall to cut off idle 
connections?


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message