From owner-freebsd-security Mon Jul 31 11:50:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (Postfix) with ESMTP id 7952137B50F for ; Mon, 31 Jul 2000 11:50:26 -0700 (PDT) (envelope-from root@infowest.com) Received: by ns1.infowest.com (Postfix, from userid 0) id B214E210AF; Mon, 31 Jul 2000 12:50:23 -0600 (MDT) To: security@freebsd.org Subject: RE: log with dynamic firewall rules Reply-To: From: "Aaron D. Gifford" Message-Id: <20000731185023.B214E210AF@ns1.infowest.com> Date: Mon, 31 Jul 2000 12:50:23 -0600 (MDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Regarding the mention of the various sysctl timeouts on dynamic rules, I posted a patch to this list a week or two ago that added the ability for an individual rule to override the default sysctl dynamic rule lifetime on a rule-by-rule basis. It works great. I just do: ipfw add 90 permit tcp from ${myip} to any 22 out setup keep-state lifetime 86400 The "lifetime 86400" extends the timeout for ONLY this rule past the default 5 minutes (300 seconds) that the sysctl variable uses to a full day. That gets rid of the annoying problems of frozen sessions because I left it idle too long while still keeping the shorter default for things like HTTP sessions where the default 300 seconds is plenty and I really wouldn't want it increased. Will the next version of ipfirewall have the ability to adjust timeouts on a rule-by-rule basis? The 5-day timeout is fine and all for most folks, but I would love the ability to shorten things on a case-by-case basis where I know the TCP session in question should not be idle that long. Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message