From owner-freebsd-ipfw Wed Dec 25 21: 6:21 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F6F637B401 for ; Wed, 25 Dec 2002 21:06:19 -0800 (PST) Received: from alchemistry.net (66-234-45-101.nyc.cable.nyct.net [66.234.45.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE36D43ED1 for ; Wed, 25 Dec 2002 21:06:18 -0800 (PST) (envelope-from mail@krel.org) Received: from amavis by alchemistry.net with scanned-ok (Exim 3.36 #1) id 18RQDi-000N3G-00 for freebsd-ipfw@freebsd.org; Thu, 26 Dec 2002 00:06:10 -0500 Received: from ilya by alchemistry.net with local (Exim 3.36 #1) id 18RQDh-000N37-00 for freebsd-ipfw@freebsd.org; Thu, 26 Dec 2002 00:06:09 -0500 Date: Thu, 26 Dec 2002 00:06:09 -0500 From: Ilya To: ipfw Subject: keepalive incoming does not keep connection alive Message-ID: <20021226050609.GA88329@krel.org> Reply-To: mail@krel.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.1i X-Virus-Scanned: by AMaViS snapshot-20020531 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi. I am running 4.7 Stable with ipfw2 outgoing traffic from lan is nat'ed and works flawlessly. However incoming traffic (especially ssh is the one which gives me problems) the incoming dynamic rule times out after 300 sec and even though I have keepalive set to 1 the rule does not refresh. I can increase the net.inet.ip.fw.dyn_syn_lifetime to 3000 and have it timeout in 10min. But its not really a solution. I saw a patch by Aaron, but he mentions that his patch is now pretty much obsolete because of keepalive. Ive seen multiple reports on google about same behaviour, but never a solution to it. below are relative rules and sysctl: net.inet.ip.fw.enable: 1 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 200 net.inet.ip.fw.dyn_buckets: 4096 net.inet.ip.fw.curr_dyn_buckets: 4096 net.inet.ip.fw.dyn_count: 11 net.inet.ip.fw.dyn_max: 4096 net.inet.ip.fw.static_count: 21 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 3000 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_udp_lifetime: 300 net.inet.ip.fw.dyn_short_lifetime: 300 net.inet.ip.fw.dyn_keepalive: 1 /etc/sysctl.conf: vfs.vmiodirenable=1 kern.ipc.maxsockbuf=2097152 kern.ipc.somaxconn=8192 kern.maxfiles=65536 kern.maxfilesperproc=32768 net.inet.tcp.rfc1323=1 net.inet.tcp.delayed_ack=0 net.inet.tcp.sendspace=65535 net.inet.tcp.recvspace=65535 net.inet.udp.recvspace=65535 net.inet.udp.maxdgram=57344 net.local.stream.recvspace=65535 net.local.stream.sendspace=65535 net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 kern.ipc.maxsockets=16424 net.inet.ip.fw.dyn_buckets=2048 net.inet.ip.fw.dyn_max=4096 net.inet.ip.fw.dyn_syn_lifetime=3000 net.inet.ip.fw.dyn_udp_lifetime=300 net.inet.ip.fw.dyn_ack_lifetime=300 net.inet.ip.fw.dyn_short_lifetime=300 ipfw add allow tcp from any to $ip 22 setup keep-state via $inter the rule is created successfully and everything runs excellent untill the connection is left unattended. if you have any sugestion on debugging the keepalive, or making it work please let me know thank you To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message