From owner-freebsd-net@FreeBSD.ORG Fri May 8 09:07:40 2015 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BB700907 for ; Fri, 8 May 2015 09:07:40 +0000 (UTC) Received: from smtp209.alice.it (smtp209.alice.it [82.57.200.105]) by mx1.freebsd.org (Postfix) with ESMTP id 5540F18E8 for ; Fri, 8 May 2015 09:07:39 +0000 (UTC) Received: from soth.ventu (82.52.27.173) by smtp209.alice.it (8.6.060.28) (authenticated as acanedi@alice.it) id 552F94EA035D4801 for net@freebsd.org; Fri, 8 May 2015 11:02:17 +0200 Received: from alamar.ventu (alamar.ventu [10.1.2.18]) by soth.ventu (8.15.1/8.14.9) with ESMTP id t4892G1O089421 for ; Fri, 8 May 2015 11:02:16 +0200 (CEST) (envelope-from ml@netfence.it) Message-ID: <554C7B98.2040101@netfence.it> Date: Fri, 08 May 2015 11:02:16 +0200 From: Andrea Venturoli User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: net@freebsd.org Subject: ipfw dyn_keepalive Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 May 2015 09:07:40 -0000 Hello. I'm having some troubles with dynamic rules and keep-alives... Let's say a client connect to a TCP port on my server and a keep-state rules allows the connection; the connection is setup correctly and some data exchanged. Then there is some minutes of silence and the rule expires. However, I read in "man ipfw" that if net.inet.ip.fw.dyn_keepalive=1 (which is holds by default and I verified in my case): "A keepalive is generated to both sides of the connection every 5 seconds for the last 20 seconds of the lifetime of the rule". If I understand that correctly, then these rules should never expire (as long as the client answers those packets, I suppose); this is however in contrast to what I experience. I looked around, but found no pointers about this. How is it supposed to work? Does it need anything special on the client side or is it expected to always answer those packets? Any good document about this? bye & Thanks av.