From owner-freebsd-questions  Fri Nov  2  0:17:14 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from falcon.prod.itd.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74])
	by hub.freebsd.org (Postfix) with ESMTP
	id C9E8537B405; Fri,  2 Nov 2001 00:17:10 -0800 (PST)
Received: from dialup-209.247.138.228.dial1.sanjose1.level3.net ([209.247.138.228] helo=blossom.cjclark.org)
	by falcon.prod.itd.earthlink.net with esmtp (Exim 3.33 #1)
	id 15zZVl-0004u7-00; Fri, 02 Nov 2001 00:17:10 -0800
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.3) id fA28Ge607075;
	Fri, 2 Nov 2001 00:16:40 -0800 (PST)
	(envelope-from cjc)
Date: Fri, 2 Nov 2001 00:16:39 -0800
From: "Crist J. Clark" <cristjc@earthlink.net>
To: Sheldon Hearn <sheldonh@starjuice.net>
Cc: freebsd-questions@FreeBSD.ORG, ru@FreeBSD.ORG
Subject: Re: Protocol-specific dynamic IPFW rule lifetimes?
Message-ID: <20011102001639.J4360@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <76018.1004615366@axl.seasidesoftware.co.za> <76269.1004616875@axl.seasidesoftware.co.za>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <76269.1004616875@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Thu, Nov 01, 2001 at 02:14:35PM +0200
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Thu, Nov 01, 2001 at 02:14:35PM +0200, Sheldon Hearn wrote:
> 
> 
> On Thu, 01 Nov 2001 13:49:26 +0200, Sheldon Hearn wrote:
> 
> > > I'm happy with the defaults for HTTP, SMTP and others.  However, I'd
> > > like the dynamic rules used to service SSH, pcAnywhere and Microsoft
> > > Terminal Services to live _much_ longer.
> > 
> > Just before people shoot the question down, I _do_ know about OpenSSH's
> > ClientAliveInterval and ClientAliveCountMax.
> 
> Also, I've noticed that my SSH sessions time out after just 20 seconds
> of inactivity.  Howcome they're not triggering fw.dyn_ack_lifetime,
> which is the default 300?  Here are the relevant rules:
> 
> add fwd 216.123.49.33 tcp from 216.123.49.36 22 to any established
> ...
> add allow tcp from any to 216.123.49.32/28 22 setup keep-state

If the first rule is hit before you through your dynamic rules, the
dynamic rules never see the packets.

As for changing the lifetime, patches are at the site in the sig.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message