From owner-freebsd-hackers  Fri Mar 31 12:14:41 2000
Delivered-To: freebsd-hackers@freebsd.org
Received: from spcem01sgl.sugar-land.omnes.net (spcem01sgl.sugar-land.omnes.net [163.188.48.51])
	by hub.freebsd.org (Postfix) with ESMTP id 32CB537BF00
	for <freebsd-hackers@FreeBSD.ORG>; Fri, 31 Mar 2000 12:14:35 -0800 (PST)
	(envelope-from rayk@sugar-land.spc.slb.com)
Received: from rayk-sgl.sugar-land.spc.slb.com ([163.188.49.242])
          by spcem01sgl.sugar-land.omnes.net (Post.Office MTA v3.5.3
          release 223 ID# 0-58147U25000L25000S0V35) with ESMTP id net
          for <freebsd-hackers@FreeBSD.ORG>;
          Fri, 31 Mar 2000 14:07:59 -0600
Message-Id: <4.3.1.2.20000331141018.00ae0e10@163.188.48.51>
X-Sender: rayk@163.188.48.51
X-Mailer: QUALCOMM Windows Eudora Version 4.3.1
Date: Fri, 31 Mar 2000 14:14:16 -0600
To: freebsd-hackers@FreeBSD.ORG
From: Keith Ray <rayk@sugar-land.spc.slb.com>
Subject: Re: ssh timeouts & ipfw dyn_ack_lifetime
In-Reply-To: <4.3.1.2.20000331123429.00ad6890@163.188.48.51>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

At 01:16 PM 3/31/00 -0600, you wrote:
>I am having a problem with ssh sessions from my windows box to my freebsd 
>box timing out after a number of idle minutes.  SecureCRT still shows a 
>valid connection until I try to type some keys, and then after a minute it 
>says "connecton reset".  I believe I have isolated the problem to the ipfw 
>firewall timing out the connection.  I am currently using dynamic rules 
>such as:
>
>add check-state
>add reset tcp from any to {myip} established
>add reset tcp from {myip} to any established
>add allow tcp from any to {myip} ssh setup keep-state
>
>The sysctl variable net.inet.ip.fw.dyn_ack_lifetime seems to be 
>responsible for this, but I only want to set a very large lifetime for 
>things like ssh.  Is it possible to disable automatic timeouts or make 
>long timeouts on a rule-by-rule basis?  Or perhaps a way to keep the 
>dynamic rule alive as long as the connection is alive?

I believe I may have found a solution.  If I set net.inet.tcp.keepidle < 
net.inet.ip.fw.dyn_ack_lifetime, this appears to work.  The defaults for 
these values are 2 hours and 5 minutes respectively.  Would it be better to 
set the keepidle to something small like 2.5 minutes or would it be better 
to make the dyn_ack_lifetime big like 3 hours?  Setting the keepalive small 
seems the best solution, but what repercussions would there be?  Why is it 
two hours by default?



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message