Date: 10 Apr 2001 19:48:57 -0400 From: Lowell Gilbert <lowell@world.std.com> To: freebsd-questions@freebsd.org Subject: Re: Firewall rules causing SSH disconects? Message-ID: <443dbgjoye.fsf@lowellg.ne.mediaone.net> In-Reply-To: tmchow@sfu.ca's message of "10 Apr 2001 23:04:18 %2B0200" References: <20010410141457.A8255@grumpy.dyndns.org> <5.0.2.1.2.20010410134314.02603bf8@popserver.sfu.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
tmchow@sfu.ca (Trevin Chow) writes: > At 02:14 PM 4/10/2001 -0500, David Kelly wrote: > <snip> > >Then again this might have more to do with NAT in the Pipeline than > >firewall altho the two are hard to tell apart. > ><snip> > >Playing with keep-state and check-state in ipfw I found the default > >timer values to be way too fast. Only played with it for about an hour > >but observed connection states were dropped when netstat said the socket > >was still open, and my applications were crying because they too were > >upset about their connections failing. > > > >Maybe I wrote the ipfw rule(s) wrong. Used a simple "allow all outgoing > >tcp connection from this host to any and keep-state". Maybe it was > >keeping state of "connection in progress" when I intended only the act > >of connecting was allowed to establish a pass rule between two hosts. > > I've used 2 different versions of firewall rules. One was just a simple > ruleset filtering out very little, and the one I'm trying now uses some > "keep-state" rules from an article i read on BSDToday > (http://www.bsdtoday.com/2000/December/Features359.html). However, I seem > to be getting the same behaviour on both sets of rules. I'm going to try > just an completely open firewall and see if I get the same behaviour. > > I guess this begs the question: What would cause a firewall to cut off idle > connections? Well, keep-state times out after a (sysctl-controllable) period of time. natd will also time out (after a day, by default, I think). There may be a firewall or address translation device on the other side (or in between) which is timing out. And plenty of other, relatively unlikely, possibilities. The thing to check is probably whether the connection is being shut down by the other side (with a FIN or RST), by a lack of ACKs coming back, or for some reason internal to your own host. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?443dbgjoye.fsf>