Date: Wed, 18 Sep 2002 07:00:04 +1000 From: Peter Jeremy <peter.jeremy@alcatel.com.au> To: dfolkins <dfolkins@comcast.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Unexpected keep state behaviour in ipfw Message-ID: <20020917210004.GW495@gsmx07.alcatel.com.au> In-Reply-To: <001a01c25e17$39edcde0$0a00a8c0@groovy3xp> References: <20020915224154.GD495@gsmx07.alcatel.com.au> <001a01c25e17$39edcde0$0a00a8c0@groovy3xp>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2002-Sep-17 02:55:36 -0400, dfolkins <dfolkins@comcast.net> wrote: >first, your "idle time" for standard tcp connections is controlled by a >sysctl variable named net.inet.ip.fw.dyn_ack_lifetime. if it is set too >short (default is 300 seconds, i think) you can always just reset it to a >longer value, either from command prompt or from sysctl.conf. just set it >to a number you think appropriate for idle established connections to >remain >active. e.g. if you want your idle ftp connections to stay alive for 10 >minutes, set that variable to 600. there are a bunch of related variables. >to see them all just do a "sysctl -a |grep dyn". net.inet.ip.fw.dyn_ack_lifetime is a tradeoff between keeping active connections alive and minimising the impact of massive numbers of dynamic rules. I also feel that 300 seconds is too short (note that IPFilter uses 120 hours, which I think is far too long). My problem is that the connections are being dropped after less than net.inet.ip.fw.dyn_ack_lifetime seconds of idle time. I have tried juggling net.inet.tcp.keepidle, net.inet.tcp.keepintvl and net.inet.ip.fw.dyn_ack_lifetime so that the latter is longer than the former (in ipfw) and this still didn't work. It would appear that the dynamic rule timers are never being reset. >as to why your ssh connection stays alive even through the night - i >suspect that is because your ssh server on your firewall has a >configuration setting that makes it send keep-alives, i.e. your >clientaliveinterval in sshd_config is set to some value which is less >than your net.inet.ip.fw.dyn_ack_lifetime value. Nope. I'm using the default ClientAliveInterval value (ie disabled). Based on comments in another thread here, I suspect the underlying problem is that ipfw dynamic rules don't work with ipnat. (Though I don't understand why - ipnat should be invisible to ipfw). My ssh connectins remain working courtesy of either normal or ipfw2 keepalives (since that connection isn't NAT'd). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020917210004.GW495>