Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 12 Jan 2002 11:07:07 -0700
From:      Ian <freebsd@damnhippie.dyndns.org>
To:        Rolandas Naujikas <rolnauj@delfi.lt>, <stable@freebsd.org>
Subject:   Re: tcp keepalive and dynamic ipfw rules
Message-ID:  <B865C95B.911F%freebsd@damnhippie.dyndns.org>
In-Reply-To: <20020112123054.A20486@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help 


> From: Rolandas Naujikas <rolnauj@delfi.lt>
> 
> I have setup a dynamic firewall for my personal computer with such rules
> 
> ipfw add check-state
> ipfw add deny tcp from any to any established
> ipfw add pass tcp from me to any setup keep-state
> 
> from ipfw(8) manual on "FreeBSD 4.5-RC".
> 
> I found problem with ftp, when download pass longer 5 minutes, then after
> download ftp client stall. I dont see more dynamic rule, allowing tcp
> control connection. net.inet.tcp.always_keepalive=1.
> 
> Rolandas
> 
> P.S. I'm sorry for my English.
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
> 

I remember having this same problem when I used dynamic rules.  The design
of dynamic rules seems to be such that they're mainly useful for things like
web servers that have many short-lived connections.  Eventually I ended up
hacking ipfw to make dynamic rules work differently, and at one time I
planned to get those changes submitted back for everyone, but recently I
changed my mind.  I just keep thinking "There has to be a better way to do
all of this; hacking an already iffy hack isn't the way."  So I quit using
dynamic rules completely.

However, more directly addressing your question... I believe the way I
worked around that problem was with

    sysctl -w net.inet.ip.fw.dyn_ack_lifetime=7210

The idea is to make a dynamic rule allowing an established connection live
longer than the default keepalive timing of 7200 seconds.  This worked back
in the FreeBSD 4.1 days; I haven't tested it recently.

-- Ian


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B865C95B.911F%freebsd>