Date: Fri, 31 Mar 2000 14:14:16 -0600 From: Keith Ray <rayk@sugar-land.spc.slb.com> To: freebsd-hackers@FreeBSD.ORG Subject: Re: ssh timeouts & ipfw dyn_ack_lifetime Message-ID: <4.3.1.2.20000331141018.00ae0e10@163.188.48.51> In-Reply-To: <4.3.1.2.20000331123429.00ad6890@163.188.48.51>
next in thread | previous in thread | raw e-mail | index | archive | help
At 01:16 PM 3/31/00 -0600, you wrote:
>I am having a problem with ssh sessions from my windows box to my freebsd
>box timing out after a number of idle minutes. SecureCRT still shows a
>valid connection until I try to type some keys, and then after a minute it
>says "connecton reset". I believe I have isolated the problem to the ipfw
>firewall timing out the connection. I am currently using dynamic rules
>such as:
>
>add check-state
>add reset tcp from any to {myip} established
>add reset tcp from {myip} to any established
>add allow tcp from any to {myip} ssh setup keep-state
>
>The sysctl variable net.inet.ip.fw.dyn_ack_lifetime seems to be
>responsible for this, but I only want to set a very large lifetime for
>things like ssh. Is it possible to disable automatic timeouts or make
>long timeouts on a rule-by-rule basis? Or perhaps a way to keep the
>dynamic rule alive as long as the connection is alive?
I believe I may have found a solution. If I set net.inet.tcp.keepidle <
net.inet.ip.fw.dyn_ack_lifetime, this appears to work. The defaults for
these values are 2 hours and 5 minutes respectively. Would it be better to
set the keepidle to something small like 2.5 minutes or would it be better
to make the dyn_ack_lifetime big like 3 hours? Setting the keepalive small
seems the best solution, but what repercussions would there be? Why is it
two hours by default?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.1.2.20000331141018.00ae0e10>