From owner-freebsd-questions Tue Apr 10 16:49: 1 2001 Delivered-To: freebsd-questions@freebsd.org Received: from be-well.ilk.org (lowellg.ne.mediaone.net [24.147.184.128]) by hub.freebsd.org (Postfix) with ESMTP id ED0B537B422 for ; Tue, 10 Apr 2001 16:48:58 -0700 (PDT) (envelope-from lowell@be-well.ilk.org) Received: (from lowell@localhost) by be-well.ilk.org (8.11.3/8.11.3) id f3ANmvu74312; Tue, 10 Apr 2001 19:48:57 -0400 (EDT) (envelope-from lowell) To: freebsd-questions@freebsd.org Subject: Re: Firewall rules causing SSH disconects? References: <20010410141457.A8255@grumpy.dyndns.org> <5.0.2.1.2.20010410134314.02603bf8@popserver.sfu.ca> From: Lowell Gilbert Date: 10 Apr 2001 19:48:57 -0400 In-Reply-To: tmchow@sfu.ca's message of "10 Apr 2001 23:04:18 +0200" Message-ID: <443dbgjoye.fsf@lowellg.ne.mediaone.net> Lines: 38 X-Mailer: Gnus v5.7/Emacs 20.7 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG tmchow@sfu.ca (Trevin Chow) writes: > At 02:14 PM 4/10/2001 -0500, David Kelly wrote: > > >Then again this might have more to do with NAT in the Pipeline than > >firewall altho the two are hard to tell apart. > > > >Playing with keep-state and check-state in ipfw I found the default > >timer values to be way too fast. Only played with it for about an hour > >but observed connection states were dropped when netstat said the socket > >was still open, and my applications were crying because they too were > >upset about their connections failing. > > > >Maybe I wrote the ipfw rule(s) wrong. Used a simple "allow all outgoing > >tcp connection from this host to any and keep-state". Maybe it was > >keeping state of "connection in progress" when I intended only the act > >of connecting was allowed to establish a pass rule between two hosts. > > I've used 2 different versions of firewall rules. One was just a simple > ruleset filtering out very little, and the one I'm trying now uses some > "keep-state" rules from an article i read on BSDToday > (http://www.bsdtoday.com/2000/December/Features359.html). However, I seem > to be getting the same behaviour on both sets of rules. I'm going to try > just an completely open firewall and see if I get the same behaviour. > > I guess this begs the question: What would cause a firewall to cut off idle > connections? Well, keep-state times out after a (sysctl-controllable) period of time. natd will also time out (after a day, by default, I think). There may be a firewall or address translation device on the other side (or in between) which is timing out. And plenty of other, relatively unlikely, possibilities. The thing to check is probably whether the connection is being shut down by the other side (with a FIN or RST), by a lack of ACKs coming back, or for some reason internal to your own host. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message