From owner-freebsd-net@FreeBSD.ORG Sun Apr 15 22:36:58 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E1A8116A402 for ; Sun, 15 Apr 2007 22:36:58 +0000 (UTC) (envelope-from ivoras@fer.hr) Received: from ls405.t-com.hr (ls405.t-com.hr [195.29.150.135]) by mx1.freebsd.org (Postfix) with ESMTP id 6ABC813C45A for ; Sun, 15 Apr 2007 22:36:58 +0000 (UTC) (envelope-from ivoras@fer.hr) Received: from ls248.t-com.hr (ls248.t-com.hr [195.29.150.237]) by ls405.t-com.hr (Postfix) with ESMTP id 134F3144588; Mon, 16 Apr 2007 00:07:42 +0200 (CEST) Received: from ls248.t-com.hr (ls248.t-com.hr [127.0.0.1]) by ls248.t-com.hr (Qmlai) with ESMTP id 0F65AD5004A; Mon, 16 Apr 2007 00:07:42 +0200 (CEST) Received: from ls248.t-com.hr (ls248.t-com.hr [127.0.0.1]) by ls248.t-com.hr (Qmlai) with ESMTP id EDEC9D50047; Mon, 16 Apr 2007 00:07:41 +0200 (CEST) X-Envelope-Sender-Info: g5URFa92gX9K/Rg9VFA/rMAHjbtiLlWI28tB5bY/lrY6StkSH1j7CT0zJW9WjWDV X-Envelope-Sender: ivoras@fer.hr Received: from [10.0.0.100] (83-131-166-8.adsl.net.t-com.hr [83.131.166.8]) by ls248.t-com.hr (Qmali) with ESMTP id BB87F5E00BE; Mon, 16 Apr 2007 00:07:41 +0200 (CEST) Message-ID: <4622A227.9090003@fer.hr> Date: Mon, 16 Apr 2007 00:07:35 +0200 From: Ivan Voras User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: Luigi Rizzo References: <20070415145621.B39338@xorpc.icir.org> In-Reply-To: <20070415145621.B39338@xorpc.icir.org> X-Enigmail-Version: 0.94.3.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigE77C8CDF91EF2876CD7333D1" Cc: freebsd-net@freebsd.org Subject: Re: Understanding ipfw keep-state dynamic rules X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Apr 2007 22:36:59 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigE77C8CDF91EF2876CD7333D1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Luigi Rizzo wrote: > yes the numbers should be the expire time for the rule. So, the total time the connection was active or the time the connection had some traffic through it? > ipfw has a default timeout of 300, and the it only uses the > "short" lifetimes when the remote end properly closes the > connection with a FIN. If it doesn't, then the firewall > cannot put a short timeout because the other endpoint > could in principle want to send more data on the connection > and we need to let it through. Hmm. There are several dynamic rules with large expire times - could it mean that a lot of clients are not properly closing the connection? If I set net.inet.ip.fw.dyn_ack_lifetime to a small-ish value (like 15 seconds), will it interfere with long-lasting downloads or slow clients? Would it do anything to the server application? (e.g. close its side of the connection so the application doesn't keep the socket open for such a long time) --------------enigE77C8CDF91EF2876CD7333D1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGIqInldnAQVacBcgRAkRTAKDp30yZZINWsLMAXCd/LYtL6gaQQQCeM/8Y 8BOJlYs8LuS9Y1Cp0I8QFz4= =Bw6x -----END PGP SIGNATURE----- --------------enigE77C8CDF91EF2876CD7333D1--