Date: Fri, 2 Nov 2001 00:16:39 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: Sheldon Hearn <sheldonh@starjuice.net> Cc: freebsd-questions@FreeBSD.ORG, ru@FreeBSD.ORG Subject: Re: Protocol-specific dynamic IPFW rule lifetimes? Message-ID: <20011102001639.J4360@blossom.cjclark.org> In-Reply-To: <76269.1004616875@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Thu, Nov 01, 2001 at 02:14:35PM %2B0200 References: <76018.1004615366@axl.seasidesoftware.co.za> <76269.1004616875@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 01, 2001 at 02:14:35PM +0200, Sheldon Hearn wrote:
>
>
> On Thu, 01 Nov 2001 13:49:26 +0200, Sheldon Hearn wrote:
>
> > > I'm happy with the defaults for HTTP, SMTP and others. However, I'd
> > > like the dynamic rules used to service SSH, pcAnywhere and Microsoft
> > > Terminal Services to live _much_ longer.
> >
> > Just before people shoot the question down, I _do_ know about OpenSSH's
> > ClientAliveInterval and ClientAliveCountMax.
>
> Also, I've noticed that my SSH sessions time out after just 20 seconds
> of inactivity. Howcome they're not triggering fw.dyn_ack_lifetime,
> which is the default 300? Here are the relevant rules:
>
> add fwd 216.123.49.33 tcp from 216.123.49.36 22 to any established
> ...
> add allow tcp from any to 216.123.49.32/28 22 setup keep-state
If the first rule is hit before you through your dynamic rules, the
dynamic rules never see the packets.
As for changing the lifetime, patches are at the site in the sig.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011102001639.J4360>