From owner-freebsd-hackers Fri Mar 31 13: 5:21 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 791E537C1CE for ; Fri, 31 Mar 2000 13:05:17 -0800 (PST) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id XAA44689; Fri, 31 Mar 2000 23:05:27 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200003312105.XAA44689@info.iet.unipi.it> Subject: Re: ssh timeouts & ipfw dyn_ack_lifetime In-Reply-To: <4.3.1.2.20000331141018.00ae0e10@163.188.48.51> from Keith Ray at "Mar 31, 2000 02:14:16 pm" To: Keith Ray Date: Fri, 31 Mar 2000 23:05:27 +0200 (CEST) Cc: freebsd-hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > I believe I may have found a solution. If I set net.inet.tcp.keepidle < > net.inet.ip.fw.dyn_ack_lifetime, this appears to work. The defaults for yes, though this assumes thay you can set the keepalive interval on at least one end, and you know the lifetime of dynamic rules on the firewall, both things that you should not be required to do. [this is not to say that it doesn't work, just that ipfw should do something smarter!] > these values are 2 hours and 5 minutes respectively. Would it be better to > set the keepidle to something small like 2.5 minutes or would it be better > to make the dyn_ack_lifetime big like 3 hours? Setting the keepalive small > seems the best solution, but what repercussions would there be? Why is it > two hours by default? because a short keepalive would keep dialup connection up even if no traffic is flowing, etc. etc. -- so i would move both values to something like 10-30min. But for your setting, basically any solution would do. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message