From owner-freebsd-net@FreeBSD.ORG  Sat Aug 12 14:23:28 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6092216A4DD
	for <freebsd-net@freebsd.org>; Sat, 12 Aug 2006 14:23:28 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2170143D49
	for <freebsd-net@freebsd.org>; Sat, 12 Aug 2006 14:23:28 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id 9D22F46C03;
	Sat, 12 Aug 2006 10:23:27 -0400 (EDT)
Date: Sat, 12 Aug 2006 15:23:27 +0100 (BST)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Mike Silbersack <silby@silby.com>
In-Reply-To: <20060811203041.E44075@odysseus.silby.com>
Message-ID: <20060812152246.F45647@fledge.watson.org>
References: <44DD1909.40703@matteworld.com>
	<20060811203041.E44075@odysseus.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-net@freebsd.org, Simon Walton <simonw@matteworld.com>
Subject: Re: Long keepidle time
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Aug 2006 14:23:28 -0000


On Fri, 11 Aug 2006, Mike Silbersack wrote:

> On Fri, 11 Aug 2006, Simon Walton wrote:
>
>>  Is there any reason why the default initial timeout for keep alive packets 
>> needs to be as long as two hours? This period causes the dynamic rules in 
>> my firewall filter to timeout.
>>
>>  Is there a major objection to reducing the default idle time to say 3 to 5 
>> minutes?
>
> On reason behind a 2 hour keepalive is so that you don't have a 2 minute 
> network outage that causes all your connections to timeout.
>
> Of course, as you point out, in the modern age of firewalls, more frequent 
> keepalives can be a good thing.
>
> I don't forsee us changing FreeBSD's default keepalive setting, but you're 
> more than welcome to change the setting on your own system.
>
> Also note that ipfw2 sends keepalive packets on its own, maybe you could 
> switch to it and/or add that functionality to your favorite firewall 
> package. :)

FWIW, I believe pf also does this.  We've run into some MAC Framework problems 
because firewalls generate keepalive packets in both pf and ipfw, since we 
don't know how to label these packets.

Robert N M Watson
Computer Laboratory
University of Cambridge