Date: Tue, 26 Aug 2003 08:48:40 -0700 From: Sean Chittenden <sean@chittenden.org> To: questions@FreeBSD.org Subject: ipfilter per rule ttl's not working? Message-ID: <20030826154840.GA32088@perrin.nxad.com>
next in thread | raw e-mail | index | archive | help
Since ipf doesn't send keep alives to refresh its connections and on
our Intranet server that gets modest www traffic, how can I run with
reasonably low/sane TTLs for most of our rules, but have a different
TTL for ssh traffic? The documentation suggests that I can do this:
filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
[ proto ] [ ip ] [ group ].
ttl = "ttl" decnumber .
But in practice, I think that the feature is unable to correctly
identify a valid number when it sees one.
>From ipf.rules:
pass in quick on fxp1 ttl 604800 proto tcp from any to 192.168.1.0/24 port = 22 flags S keep state keep frags
# ipf -Fa -f /etc/ipf.rules
693: invalid ttl (604800)
:-/ One would think that 604800 would qualify as a decnumber. Am I
missing something or is this a documented non-feature?
-sc
--
Sean Chittenden
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030826154840.GA32088>