From owner-freebsd-questions@freebsd.org Wed Jan 11 10:26:01 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0B599CAAFBF for ; Wed, 11 Jan 2017 10:26:01 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from lb2-smtp-cloud2.xs4all.net (lb2-smtp-cloud2.xs4all.net [194.109.24.25]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client CN "*.xs4all.nl", Issuer "GlobalSign Domain Validation CA - SHA256 - G2" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A07F81133 for ; Wed, 11 Jan 2017 10:26:00 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from slackbox.erewhon.home ([83.162.243.5]) by smtp-cloud2.xs4all.net with ESMTP id WyQl1u00l07iGuj01yQnFR; Wed, 11 Jan 2017 11:24:47 +0100 Received: from rsmith (uid 1001) (envelope-from rsmith@xs4all.nl) id 123fc by slackbox.erewhon.home (DragonFly Mail Agent v0.11+); Wed, 11 Jan 2017 11:24:45 +0100 Date: Wed, 11 Jan 2017 11:24:45 +0100 From: Roland Smith To: Damien Fleuriot Cc: "freebsd-questions@freebsd.org" Subject: Re: [IPFW] stateful session timeout Message-ID: <20170111102445.GA53285@slackbox.erewhon.home> Mail-Followup-To: Damien Fleuriot , "freebsd-questions@freebsd.org" References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc" Content-Disposition: inline In-Reply-To: X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.7.2 (2016-11-26) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2017 10:26:01 -0000 --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 10, 2017 at 03:16:46PM +0100, Damien Fleuriot wrote: > Hello list, > We currently use PF on 8-STABLE and 10-STABLE boxes. > > I'm playing around a bit with ipfw and have not found a way to replicate > PF's *per-rule* custom session lifetimes. > > Anyone's got anything on the subject ? ;) Is this about dynamic rules? Because looking at ipfw(8) you can only set th= at globally via the net.inet.ip.fw.dyn_* sysctls. From the manual: Dynamic rules expire after some time, which depends on the status of t= he flow and the setting of some sysctl variables. See Section SYSCTL VARIABLES for more details. For TCP sessions, dynamic rules can be instructed to periodically send keepalive packets to refresh the state= of the rule when it is about to expire. Roland --=20 R.F.Smith http://rsmith.home.xs4all.nl/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 5753 3324 1661 B0FE 8D93 FCED 40F6 D5DC A38A 33E0 (keyID: A38A33E0) --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEV1MzJBZhsP6Nk/ztQPbV3KOKM+AFAlh2B+YACgkQQPbV3KOK M+Dn0g/9GJ0SwxT+t+jPHnTAAfQK6/CSL1e/h2bdfjJvHP9Aht5ksjFzOBddSfoJ xqtiHOmIemtZ/e6p9fRTYGlRsyrxn/bzr7PBqFYtE5kYWFFO9+SxTAUvDv2jtIcQ otC9qmrnMi2mBGQHsFZo0vYHR3PaMvguTqenuRHCWQm74CCfFmD4HUGHV1M1KHS4 Ik5nZwZpUhG52KF3WSU5KVhoe9fF8//jk1ngyG9wnW2uLCb/pSRHeyg+NQoFHGWK 1aKTv/bkFieOdElyijtazRv1oUU9o6Cj+r2CToabPTXxunmQ85ryGxK91EJMR9mm /Jx1ALrjuj4ejYrMbG7G4piXjkxXQ0+Y/AwtlD4ZJ4R5MGeMarKGrO2WdPnioWj4 5j9SPxAyk0o09U2Y+//PtRHEuaZE9XE8wY/g5xh8CeaFkR8HLFnXqVYf+b6EfPsm vw4nUftbDZi23Te020L4Qp2q07UOc/Kxdv6pqa06QpLv4ApcAJD0p2tiTN7AFCY3 y7QD6E9PgdiTCVvGETLJK+sorgflNYOy4xmTIVDASaVMewGiCYccEW/pdpICItN+ eoPLDCs6NY3MJ+FPu+66bpeF9+VWjlf09JSHuZNjebX83EpGBZ0JOiLiueZda4Zo FBCkjelqcE3wZmAcS4OiP6F/pXixAw7zx7TPQmE73WwdR5iWvdk= =F/46 -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc--