From owner-freebsd-isdn Wed May 30 3:24:15 2001 Delivered-To: freebsd-isdn@freebsd.org Received: from arg1.demon.co.uk (arg1.demon.co.uk [194.222.34.166]) by hub.freebsd.org (Postfix) with ESMTP id 7CC2637B424 for ; Wed, 30 May 2001 03:24:12 -0700 (PDT) (envelope-from arg@arg1.demon.co.uk) Received: by arg1.demon.co.uk (Postfix, from userid 300) id E69BA9B03; Wed, 30 May 2001 11:24:10 +0100 (BST) Received: from localhost (localhost [127.0.0.1]) by arg1.demon.co.uk (Postfix) with ESMTP id DF00B5D1C; Wed, 30 May 2001 11:24:10 +0100 (BST) Date: Wed, 30 May 2001 11:24:10 +0100 (BST) From: Andrew Gordon X-X-Sender: To: Harry Kroonen Cc: Subject: Re: (newbie) Idletime disconnect In-Reply-To: <3B14BEF6.5005.29BE979@localhost> Message-ID: <20010530111759.M92263-100000@server.arg.sj.co.uk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isdn@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 30 May 2001, Harry Kroonen wrote: > > I'm running (kernel) i4b on a FreeBSD gateway for my LAN, only using > dialup, with IPFilter for the firewall/NAT stuff. > > Incoming packets that are blocked by IPFilter do reset the idletime > disconnect counter, so when a random host on the internet keeps on trying > to connect to my system, disconnect doesn't happen for _quite_a_while_, > driving up my phonebill unneccessarily. > > I guess the way to handle this is to put some counter on the firewall traffic, > and use that to decide on disconnecting, and not use the idletime counter. One option is to use /usr/sbin/ppp rather than the built-in i4bisppp (or ipr, whichever you are using now). /usr/sbin/ppp has its own firewall features, and in particular has separate filters for which packets are allowed to cause a connection to be dialled, and which packets cause the connection to be kept alive (ie. reset the timeout). You can still use ipf or ipfw for your main firewall: just leave the "in" and "out" filters on ppp wide open, and set the "dial" and "alive" filters to suit your purposes. I have used this in the past to allow sensible use of ntpd with a dial-on-demand link: the ntp packets are allowed through the firewall, but blocked from the dial/alive filters, so ntpd won't keep the connection dialled up all day, but whenever I happen to be online for other purposes the ntp packets can then get through and keep the clocks up to date. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isdn" in the body of the message