Date: Mon, 16 Apr 2007 00:07:35 +0200 From: Ivan Voras <ivoras@fer.hr> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-net@freebsd.org Subject: Re: Understanding ipfw keep-state dynamic rules Message-ID: <4622A227.9090003@fer.hr> In-Reply-To: <20070415145621.B39338@xorpc.icir.org> References: <evu1b2$c29$1@sea.gmane.org> <20070415145621.B39338@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigE77C8CDF91EF2876CD7333D1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Luigi Rizzo wrote: > yes the numbers should be the expire time for the rule. So, the total time the connection was active or the time the connection had some traffic through it? > ipfw has a default timeout of 300, and the it only uses the > "short" lifetimes when the remote end properly closes the > connection with a FIN. If it doesn't, then the firewall > cannot put a short timeout because the other endpoint > could in principle want to send more data on the connection > and we need to let it through. Hmm. There are several dynamic rules with large expire times - could it mean that a lot of clients are not properly closing the connection? If I set net.inet.ip.fw.dyn_ack_lifetime to a small-ish value (like 15 seconds), will it interfere with long-lasting downloads or slow clients? Would it do anything to the server application? (e.g. close its side of the connection so the application doesn't keep the socket open for such a long time) --------------enigE77C8CDF91EF2876CD7333D1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGIqInldnAQVacBcgRAkRTAKDp30yZZINWsLMAXCd/LYtL6gaQQQCeM/8Y 8BOJlYs8LuS9Y1Cp0I8QFz4= =Bw6x -----END PGP SIGNATURE----- --------------enigE77C8CDF91EF2876CD7333D1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4622A227.9090003>