Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 21 Jun 2024 11:57:34 +0200
From:      Ralf Weber <freebsd@fl1ger.de>
To:        Jos Chrispijn <josc@cloudzeeland.nl>
Cc:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: IPv6
Message-ID:  <281A2C29-5605-471D-8762-191E1BA808FD@fl1ger.de>
In-Reply-To: <38514ddc-a1f8-49c6-bcf9-c552da53e554@cloudzeeland.nl>
References:  <38514ddc-a1f8-49c6-bcf9-c552da53e554@cloudzeeland.nl>
next in thread | previous in thread | raw e-mail | index | archive | help 
Moin!

On 20 Jun 2024, at 19:56, Jos Chrispijn wrote:

> Running FreeBSD 13.3-RELEASE-p1
> If no data has been exchanged via a TCP connection for 15 minutes, or i=
f no data has been exchanged via a UDP connection for 5 minutes,
> my FRITZ!Box router automatically removes the connection(s) in question=
 from the NAT table ( "NAT Timeout"). This will close all ports used by t=
hese connections and disconnect the application (read in this case: FreeB=
SD) from the Internet. According to the manufacturer 'to ensures the secu=
rity of devices in the router's home network and to prevent performance l=
osses during Internet access.

I=E2=80=99m a bit confused here, as for IPv6 you are not doing NAT, but t=
he FritzBox and other home routers to have a state table for firewall con=
nections that usually has a timeout value. I assume you mean this. In Fre=
ebsd if you have pf enabled you get this values with:

	pfctl -st

In Linux (which oddly enough the FritzBox is based on) the following shou=
ld help:

	sysctl -a | grep conntrack

However the FritzBox AFAIK has no option to change these values.

> This forces me into running an 'IPv6 stay alive' script every 30 minute=
s in order to be available for incoming IPv6 connections. Is there a way =
to use FreeBSD in a more smooth way to tackle this or does the manufactur=
er AVM need to include this functionallity into their hardware?

This is a common problem with stateful firewalls and why most application=
s that use long live connection have is an in band keep alive mechanism. =
E.g for ssh you can put the following in ~/.ssh/config:

ServerAliveInterval 60
ServerAliveCountMax 60

Which will give you an hour without typing something on your keyboard for=
 an ssh connection.

Hopefully that helps.

So long
-Ralf
=E2=80=94=E2=80=94-
Ralf Weber

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?281A2C29-5605-471D-8762-191E1BA808FD>