From owner-freebsd-net@FreeBSD.ORG Mon Aug 14 18:40:53 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E3D816A4E1 for ; Mon, 14 Aug 2006 18:40:53 +0000 (UTC) (envelope-from simonw@matteworld.com) Received: from pop-siberian.atl.sa.earthlink.net (pop-siberian.atl.sa.earthlink.net [207.69.195.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 57CE343D76 for ; Mon, 14 Aug 2006 18:40:49 +0000 (GMT) (envelope-from simonw@matteworld.com) Received: from user-119bq9k.biz.mindspring.com ([66.149.233.52] helo=matteworld.com) by pop-siberian.atl.sa.earthlink.net with esmtp (Exim 3.36 #1) id 1GChMk-0004Qx-00; Mon, 14 Aug 2006 14:40:47 -0400 Message-ID: <44E0C3AC.7030603@matteworld.com> Date: Mon, 14 Aug 2006 11:40:44 -0700 From: Simon Walton User-Agent: Mozilla/5.0 (X11; U; IRIX IP32; en-US; rv:1.6) Gecko/20040505 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mike Silbersack References: <44DD1909.40703@matteworld.com> <20060811203041.E44075@odysseus.silby.com> In-Reply-To: <20060811203041.E44075@odysseus.silby.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Long keepidle time X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2006 18:40:53 -0000 Mike Silbersack wrote: > > On Fri, 11 Aug 2006, Simon Walton wrote: > >> Is there any reason why the default initial timeout for keep alive >> packets needs to be as long as two hours? This period causes the >> dynamic rules in my firewall filter to timeout. >> >> Is there a major objection to reducing the default idle time to >> say 3 to 5 minutes? >> >> Simon Walton > > > On reason behind a 2 hour keepalive is so that you don't have a 2 minute > network outage that causes all your connections to timeout. > > Of course, as you point out, in the modern age of firewalls, more > frequent keepalives can be a good thing. > > I don't forsee us changing FreeBSD's default keepalive setting, but > you're more than welcome to change the setting on your own system. > > Also note that ipfw2 sends keepalive packets on its own, maybe you could > switch to it and/or add that functionality to your favorite firewall > package. :) Thanks. I did not go with ipfw2 partly because of concerns about whether it was stable enough (this is on 4.10) and also because it requires rebuilding part of userland. Perhaps this would be the way to go after all. Note that the probes are retransmitted a few times (I think eight times) before the connection is considered dead, so it would take longer than two minutes. Simon Walton