From owner-freebsd-stable  Sat Jan 12 10: 7:16 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from damnhippie.dyndns.org (12-253-177-2.client.attbi.com [12.253.177.2])
	by hub.freebsd.org (Postfix) with ESMTP id 5AAF537B41A
	for <stable@freebsd.org>; Sat, 12 Jan 2002 10:07:09 -0800 (PST)
Received: from [172.22.42.2] (peace.hippie.lan [172.22.42.2])
	by damnhippie.dyndns.org (8.11.6/8.11.1) with ESMTP id g0CI74A00594;
	Sat, 12 Jan 2002 11:07:04 -0700 (MST)
	(envelope-from freebsd@damnhippie.dyndns.org)
User-Agent: Microsoft Outlook Express Macintosh Edition - 5.01 (1630)
Date: Sat, 12 Jan 2002 11:07:07 -0700
Subject: Re: tcp keepalive and dynamic ipfw rules
From: Ian <freebsd@damnhippie.dyndns.org>
To: Rolandas Naujikas <rolnauj@delfi.lt>, <stable@freebsd.org>
Message-ID: <B865C95B.911F%freebsd@damnhippie.dyndns.org>
In-Reply-To: <20020112123054.A20486@localhost>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG



> From: Rolandas Naujikas <rolnauj@delfi.lt>
> 
> I have setup a dynamic firewall for my personal computer with such rules
> 
> ipfw add check-state
> ipfw add deny tcp from any to any established
> ipfw add pass tcp from me to any setup keep-state
> 
> from ipfw(8) manual on "FreeBSD 4.5-RC".
> 
> I found problem with ftp, when download pass longer 5 minutes, then after
> download ftp client stall. I dont see more dynamic rule, allowing tcp
> control connection. net.inet.tcp.always_keepalive=1.
> 
> Rolandas
> 
> P.S. I'm sorry for my English.
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
> 

I remember having this same problem when I used dynamic rules.  The design
of dynamic rules seems to be such that they're mainly useful for things like
web servers that have many short-lived connections.  Eventually I ended up
hacking ipfw to make dynamic rules work differently, and at one time I
planned to get those changes submitted back for everyone, but recently I
changed my mind.  I just keep thinking "There has to be a better way to do
all of this; hacking an already iffy hack isn't the way."  So I quit using
dynamic rules completely.

However, more directly addressing your question... I believe the way I
worked around that problem was with

    sysctl -w net.inet.ip.fw.dyn_ack_lifetime=7210

The idea is to make a dynamic rule allowing an established connection live
longer than the default keepalive timing of 7200 seconds.  This worked back
in the FreeBSD 4.1 days; I haven't tested it recently.

-- Ian


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message