Date: Fri, 31 Mar 2000 21:38:18 +0200 (CEST) From: Luigi Rizzo <luigi@info.iet.unipi.it> To: Keith Ray <rayk@sugar-land.spc.slb.com> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: ssh timeouts & ipfw dyn_ack_lifetime Message-ID: <200003311938.VAA44427@info.iet.unipi.it> In-Reply-To: <4.3.1.2.20000331123429.00ad6890@163.188.48.51> from Keith Ray at "Mar 31, 2000 01:16:36 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
As Larry Baird was suggesting in a private email, one way to
handle this problem would be to have the firewall issue keepalives
to refresh the state. Unfortunately the connection can be alive
without any traffic flowing, and you cannot rely on keepalives on
both sides of the connection.
On the other hand, if you look at the sysctl variables, you see that
the timeout after a FIN becomes quite short so i think it is not
_that_ bad having much larger timeouts than the ones i set, because
properly closed connection will still make the rule expire very quickly.
Yes the timeouts could be made configurable on a per-rule basis,
at the price of some additional parameter in the ipfw rules.
But i am not planning such a change at the moment.
cheers
luigi
> I am having a problem with ssh sessions from my windows box to my freebsd
> box timing out after a number of idle minutes. SecureCRT still shows a
> valid connection until I try to type some keys, and then after a minute it
> says "connecton reset". I believe I have isolated the problem to the ipfw
> firewall timing out the connection. I am currently using dynamic rules
> such as:
>
> add check-state
> add reset tcp from any to {myip} established
> add reset tcp from {myip} to any established
> add allow tcp from any to {myip} ssh setup keep-state
>
> The sysctl variable net.inet.ip.fw.dyn_ack_lifetime seems to be responsible
> for this, but I only want to set a very large lifetime for things like
> ssh. Is it possible to disable automatic timeouts or make long timeouts on
> a rule-by-rule basis? Or perhaps a way to keep the dynamic rule alive as
> long as the connection is alive?
>
-----------------------------------+-------------------------------------
Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione
http://www.iet.unipi.it/~luigi/ . Universita` di Pisa
TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy)
Mobile +39-347-0373137
-----------------------------------+-------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003311938.VAA44427>