Date: Mon, 31 Jul 2000 12:50:23 -0600 (MDT) From: "Aaron D. Gifford" <agifford@infowest.com> To: security@freebsd.org Subject: RE: log with dynamic firewall rules Message-ID: <20000731185023.B214E210AF@ns1.infowest.com>
next in thread | raw e-mail | index | archive | help
Regarding the mention of the various sysctl timeouts on dynamic rules,
I posted a patch to this list a week or two ago that added the ability
for an individual rule to override the default sysctl dynamic rule
lifetime on a rule-by-rule basis. It works great. I just do:
ipfw add 90 permit tcp from ${myip} to any 22 out setup keep-state lifetime 86400
The "lifetime 86400" extends the timeout for ONLY this rule past the
default 5 minutes (300 seconds) that the sysctl variable uses to a full
day. That gets rid of the annoying problems of frozen sessions because
I left it idle too long while still keeping the shorter default for
things like HTTP sessions where the default 300 seconds is plenty and
I really wouldn't want it increased.
Will the next version of ipfirewall have the ability to adjust timeouts
on a rule-by-rule basis? The 5-day timeout is fine and all for most
folks, but I would love the ability to shorten things on a case-by-case
basis where I know the TCP session in question should not be idle
that long.
Aaron out.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000731185023.B214E210AF>