Date: Sat, 28 Mar 2009 06:34:51 +1100 From: Peter Jeremy <peterjeremy@optushome.com.au> To: Pierre Lamy <pierre@userid.org> Cc: freebsd-net@freebsd.org, Adrian Penisoara <ady@freebsd.ady.ro>, Shawn Everett <shawn@tandac.com> Subject: Re: FreeBSD Router Problem Message-ID: <20090327193451.GA16310@server.vk2pj.dyndns.org> In-Reply-To: <49CBA72F.3020600@userid.org> References: <3650.206.108.16.89.1235691792.squirrel@alder.hosix.com> <3853.206.108.16.89.1235693214.squirrel@alder.hosix.com> <78cb3d3f0902261619t71a054fet43779c37e2981603@mail.gmail.com> <200902262341.35069.shawn@tandac.com> <49CAB28A.9030406@userid.org> <1865.206.108.16.89.1238019698.squirrel@alder.hosix.com> <78cb3d3f0903260552g372fd4b6k886bba1ebc05a77c@mail.gmail.com> <49CBA72F.3020600@userid.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--ibTvN161/egqYuK8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2009-Mar-26 11:02:55 -0500, Pierre Lamy <pierre@userid.org> wrote: >A 1 day default timeout for established connections is retarded, since=20 >virtually all client apps and OSs as well as intervening stateful=20 >firewalls will lose state after 1 hour. With respect, this is nonsense. An app or OS should never "lose state" for an established TCP connection - if it does, it is broken. Note that the default TCP keepalive interval (in many OSs, not just FreeBSD) is 2 hours. Firewalls are a different case - far more variable and far more often tweaked to suit the owner. IPFW2 defaults to 4096 dynamic rules and defaults to a 5 minute timeout (it also supports its own keepalive generation). IPfilter defaults to a 120 hour timeout. Our corporate firewall at $work times out after about a minute. Again - none of these match your '1 hour' statement. > A session which is idle for more=20 >than an hour can't be considered to be active. This depends on what you consider active. I manage one firewall-like device at work where access to services through the device is controlled be the presence of a specific TCP connection (ie, the user sets up a TCP connection to an app on the box and that app then allows that user to have access to other services mediated by that box whilst that connection remains established). In this case, once the initial authentication phase is complete, the control connection never carries any further application-level data but its continued presence is required (and monitored via TCP-level keepalives). --=20 Peter Jeremy --ibTvN161/egqYuK8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iEYEARECAAYFAknNKlsACgkQ/opHv/APuIdpgwCguMQDQe1cmeLvyuy5ZKpoHQar /WwAni1Z+XrtiJiyd0DqNcMCKvFXuQDB =I+GN -----END PGP SIGNATURE----- --ibTvN161/egqYuK8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090327193451.GA16310>