From owner-freebsd-ipfw Sun Aug 4 3:29:57 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E86AE37B401 for ; Sun, 4 Aug 2002 03:29:50 -0700 (PDT) Received: from moscow.plug-it.com (moscow.plug-it.com [62.212.108.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7C0843E65 for ; Sun, 4 Aug 2002 03:29:49 -0700 (PDT) (envelope-from eberkut@minithins.net) Received: from funel (ACA38AA1.ipt.aol.com [172.163.138.161]) (authenticated bits=0) by moscow.plug-it.com (8.12.5/8.12.5) with ESMTP id g74AI1Qv013469 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Sun, 4 Aug 2002 12:18:07 +0200 Reply-To: From: "eberkut" To: Subject: RE: timeout Date: Sun, 4 Aug 2002 12:13:25 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20020804011900.A1711@rfc-networks.ie> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG yep, that may be useful for state table tuning against unresponsive/slow/congested connections, thank you. I suppose these sysctl variables apply to any entry in the state table, not just TCP ? btw, the set timeout options for pf are on the -current man pages. And for information, I join some configuration examples for the CBAC global timeouts. ! timeouts and thresholds ! time to wait for a connection to reach established state ip inspect tcp synwait-time 20 ! time the session will be still watched after detection of fin exchange ip inspect tcp finwait-time 10 ! TCP idle time (10min because of keepalive) ip inspect tcp idle-time 600 ! UDP idle time ip inspect udp idle-time 60 ! like fin-wait for dns name lookup ip inspect dns-timeout 5 ! half-open nb before start/stop deleting ip inspect max-incomplete high 400 ip inspect max-incomplete low number 300 ! half-open nb per minute start/stop deleting ip inspect one-minute high 200 ip inspect one-minute low 150 ! half-open nb to same dest and block time (minutes) ip inspect tcp max-incomplete host 50 block-time 15 > Without reading the detailed description of CBAC, from what you > mention there aren't, the sysctl variables: > > - net.inet.ip.fw.dyn_ack_lifetime > - net.inet.ip.fw.dyn_syn_lifetime > etc. etc. > > What you're looking for? > > -- > Philip Reynolds | Technical Director > philip.reynolds@rfc-networks.ie | RFC Networks Ltd. > http://www.rfc-networks.ie | +353 (0)1 8832063 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message