From owner-freebsd-isdn  Wed May 30  3:24:15 2001
Delivered-To: freebsd-isdn@freebsd.org
Received: from arg1.demon.co.uk (arg1.demon.co.uk [194.222.34.166])
	by hub.freebsd.org (Postfix) with ESMTP id 7CC2637B424
	for <freebsd-isdn@FreeBSD.ORG>; Wed, 30 May 2001 03:24:12 -0700 (PDT)
	(envelope-from arg@arg1.demon.co.uk)
Received: by arg1.demon.co.uk (Postfix, from userid 300)
	id E69BA9B03; Wed, 30 May 2001 11:24:10 +0100 (BST)
Received: from localhost (localhost [127.0.0.1])
	by arg1.demon.co.uk (Postfix) with ESMTP
	id DF00B5D1C; Wed, 30 May 2001 11:24:10 +0100 (BST)
Date: Wed, 30 May 2001 11:24:10 +0100 (BST)
From: Andrew Gordon <arg@arg1.demon.co.uk>
X-X-Sender:  <arg@server.arg.sj.co.uk>
To: Harry Kroonen <h.kroonen@brinktech.nl>
Cc: <freebsd-isdn@FreeBSD.ORG>
Subject: Re: (newbie) Idletime disconnect 
In-Reply-To: <3B14BEF6.5005.29BE979@localhost>
Message-ID: <20010530111759.M92263-100000@server.arg.sj.co.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isdn@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isdn.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-isdn>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-isdn>
X-Loop: FreeBSD.org

On Wed, 30 May 2001, Harry Kroonen wrote:
>
> I'm running (kernel) i4b on a FreeBSD gateway for my LAN, only using
> dialup, with IPFilter for the firewall/NAT stuff.
>
> Incoming packets that are blocked by IPFilter do reset the idletime
> disconnect counter, so when a random host on the internet keeps on trying
> to connect to my system, disconnect doesn't happen for _quite_a_while_,
> driving up my phonebill unneccessarily.
>
> I guess the way to handle this is to put some counter on the firewall traffic,
> and use that to decide on disconnecting, and not use the idletime counter.

One option is to use /usr/sbin/ppp rather than the built-in i4bisppp (or
ipr, whichever you are using now).  /usr/sbin/ppp has its own firewall
features, and in particular has separate filters for which packets are
allowed to cause a connection to be dialled, and which packets cause the
connection to be kept alive (ie. reset the timeout).

You can still use ipf or ipfw for your main firewall: just leave the "in"
and "out" filters on ppp wide open, and set the "dial" and "alive" filters
to suit your purposes.

I have used this in the past to allow sensible use of ntpd with a
dial-on-demand link: the ntp packets are allowed through the firewall, but
blocked from the dial/alive filters, so ntpd won't keep the connection
dialled up all day, but whenever I happen to be online for other purposes
the ntp packets can then get through and keep the clocks up to date.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isdn" in the body of the message