From owner-freebsd-net@FreeBSD.ORG  Fri May  8 09:07:40 2015
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id BB700907
 for <net@freebsd.org>; Fri,  8 May 2015 09:07:40 +0000 (UTC)
Received: from smtp209.alice.it (smtp209.alice.it [82.57.200.105])
 by mx1.freebsd.org (Postfix) with ESMTP id 5540F18E8
 for <net@freebsd.org>; Fri,  8 May 2015 09:07:39 +0000 (UTC)
Received: from soth.ventu (82.52.27.173) by smtp209.alice.it (8.6.060.28)
 (authenticated as acanedi@alice.it)
 id 552F94EA035D4801 for net@freebsd.org; Fri, 8 May 2015 11:02:17 +0200
Received: from alamar.ventu (alamar.ventu [10.1.2.18])
 by soth.ventu (8.15.1/8.14.9) with ESMTP id t4892G1O089421
 for <net@freebsd.org>; Fri, 8 May 2015 11:02:16 +0200 (CEST)
 (envelope-from ml@netfence.it)
Message-ID: <554C7B98.2040101@netfence.it>
Date: Fri, 08 May 2015 11:02:16 +0200
From: Andrea Venturoli <ml@netfence.it>
User-Agent: Mozilla/5.0 (X11; FreeBSD i386;
 rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: net@freebsd.org
Subject: ipfw dyn_keepalive
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2015 09:07:40 -0000

Hello.

I'm having some troubles with dynamic rules and keep-alives...

Let's say a client connect to a TCP port on my server and a keep-state 
rules allows the connection; the connection is setup correctly and some 
data exchanged.
Then there is some minutes of silence and the rule expires.



However, I read in "man ipfw" that if net.inet.ip.fw.dyn_keepalive=1 
(which is holds by default and I verified in my case):
"A keepalive is generated to both sides of the connection every 5 
seconds for the last 20 seconds of the lifetime of the rule".

If I understand that correctly, then these rules should never expire (as 
long as the client answers those packets, I suppose); this is however in 
contrast to what I experience.

I looked around, but found no pointers about this.
How is it supposed to work?
Does it need anything special on the client side or is it expected to 
always answer those packets?
Any good document about this?


  bye & Thanks
	av.