From owner-freebsd-ipfw Mon Aug 5 9:12:35 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D9C437B400 for ; Mon, 5 Aug 2002 09:12:33 -0700 (PDT) Received: from ns1.infowest.com (ns1.infowest.com [204.17.177.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id D094643E65 for ; Mon, 5 Aug 2002 09:12:32 -0700 (PDT) (envelope-from agifford@infowest.com) Received: from tambler.infowest.com (Tambler.infowest.com [216.190.25.202]) by ns1.infowest.com (Postfix) with ESMTP id BBE0023E8B for ; Mon, 5 Aug 2002 10:11:59 -0600 (MDT) Content-Type: text/plain; charset="us-ascii" From: "Aaron D. Gifford" Reply-To: agifford@infowest.com To: ipfw@freebsd.org Subject: keep-state lifetime patches - now for IPFW2 Date: Mon, 5 Aug 2002 10:12:13 -0600 User-Agent: KMail/1.4.2 Organization: InfoWest, Inc. MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200208051012.13680.agifford@infowest.com> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, Just a little note to let anyone interest know I've got the keep-state "lifetime " patch set ported to IPFW2 for FreeBSD 4.6-STABLE. With IPFW2, a major reason to use the patch set is greatly diminished by Luigi Rizzo's excellent automatic TCP keepalive feature. The patches remain useful for tighter control over non-TCP traffic, or for cases where one still wants finer grained dynamic rule expiration control, even with keepalives. The patch set for IPFW2 is definitely experimental, as is IPFW2 in 4.6-STABLE. Read Luigi's post for information about IPFW2 and how to use it in 4.6-STABLE. I'm using it for my home computer network (with my patches applied) and really appreciate Luigi's work. The patch set can be had at: http://www.aarongifford.com/computers/ipfwpatch.html Thanks, Luigi Rizzo, for your excellent IPFW2 addition to FreeBSD, and for bringing it to -STABLE! An IPFW2 gotcha: For anyone using IPFW2 with a complex ruleset like me you will need to be aware that IPFW2's dynamic TCP rule keepalive packets originate from the loopback "lo0" interface, so make sure your ruleset allows these packets to pass. Most rule sets probably won't have to worry about this at all. If you get Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message