From owner-freebsd-ipfw Thu Jul 18 13:49: 0 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9776437B405 for ; Thu, 18 Jul 2002 13:48:57 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23B2C43E6D for ; Thu, 18 Jul 2002 13:48:54 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6IKmXc26193; Thu, 18 Jul 2002 13:48:33 -0700 (PDT) (envelope-from rizzo) Date: Thu, 18 Jul 2002 13:48:33 -0700 From: Luigi Rizzo To: Rob Ellis Cc: net@wsf.at, Didier Rwitura , ipfw@FreeBSD.ORG Subject: Re: disconection Message-ID: <20020718134832.A25924@iguana.icir.org> References: <005f01c22e83$e19188c0$b0120a0a@primustel.ca> <200207181841.g6IIfmY09684@www.wsf.at> <20020718204328.GQ40395@web.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020718204328.GQ40395@web.ca>; from rob@web.ca on Thu, Jul 18, 2002 at 04:43:28PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jul 18, 2002 at 04:43:28PM -0400, Rob Ellis wrote: > an alternative to ssh KeepAlive is to use protocol 2 with > ClientAliveInterval and ClientAliveCountMax set. (see > sshd man page). the version of ipfw in -current now generates keepalives on dynamic rules. Patches for -stable are at http://info.iet.unipi.it/~luigi/ipfw2.stable.020715.diffs cheers luigi > - rob > > > > > Regarding your original problem, there are 3 options: > > 1) Configure ipfw to pass traffic to/from 22 without using > > 'keep-state', replace 300 with: > > add 00200 allow tcp from 216.254.136.110 to me ssh > > add 00201 allow tcp from me 22 to 216.254.136.110 > > (replace '216.254...' with 'any' if you want to connect from anywhere > > but check your version of sshd first! ) > > > > 2) increase the lifetime of the temporary rules created by > > 'keep-state'. See 'man ipfw, search for 'SYSCTL', see > > 'net.inet.ip.fw.dyn_ack_lifetime'. > > > > 3) Configure sshd and/or your ssh-client to use keepalives. > > > > HTH > > > > Thomas > > > > P.S.: Please don't top-post, it makes it much more difficult > > to follow the thread. > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message