From owner-freebsd-hackers Fri Mar 31 11:37:50 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 55DEA37BE6C for ; Fri, 31 Mar 2000 11:37:46 -0800 (PST) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id VAA44427; Fri, 31 Mar 2000 21:38:18 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200003311938.VAA44427@info.iet.unipi.it> Subject: Re: ssh timeouts & ipfw dyn_ack_lifetime In-Reply-To: <4.3.1.2.20000331123429.00ad6890@163.188.48.51> from Keith Ray at "Mar 31, 2000 01:16:36 pm" To: Keith Ray Date: Fri, 31 Mar 2000 21:38:18 +0200 (CEST) Cc: freebsd-hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG As Larry Baird was suggesting in a private email, one way to handle this problem would be to have the firewall issue keepalives to refresh the state. Unfortunately the connection can be alive without any traffic flowing, and you cannot rely on keepalives on both sides of the connection. On the other hand, if you look at the sysctl variables, you see that the timeout after a FIN becomes quite short so i think it is not _that_ bad having much larger timeouts than the ones i set, because properly closed connection will still make the rule expire very quickly. Yes the timeouts could be made configurable on a per-rule basis, at the price of some additional parameter in the ipfw rules. But i am not planning such a change at the moment. cheers luigi > I am having a problem with ssh sessions from my windows box to my freebsd > box timing out after a number of idle minutes. SecureCRT still shows a > valid connection until I try to type some keys, and then after a minute it > says "connecton reset". I believe I have isolated the problem to the ipfw > firewall timing out the connection. I am currently using dynamic rules > such as: > > add check-state > add reset tcp from any to {myip} established > add reset tcp from {myip} to any established > add allow tcp from any to {myip} ssh setup keep-state > > The sysctl variable net.inet.ip.fw.dyn_ack_lifetime seems to be responsible > for this, but I only want to set a very large lifetime for things like > ssh. Is it possible to disable automatic timeouts or make long timeouts on > a rule-by-rule basis? Or perhaps a way to keep the dynamic rule alive as > long as the connection is alive? > -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message