FreeBSD Router Problem
Peter Jeremy
peterjeremy at optushome.com.au
Fri Mar 27 12:50:43 PDT 2009
On 2009-Mar-26 11:02:55 -0500, Pierre Lamy <pierre at userid.org> wrote:
>A 1 day default timeout for established connections is retarded, since
>virtually all client apps and OSs as well as intervening stateful
>firewalls will lose state after 1 hour.
With respect, this is nonsense. An app or OS should never "lose state"
for an established TCP connection - if it does, it is broken. Note that
the default TCP keepalive interval (in many OSs, not just FreeBSD) is
2 hours.
Firewalls are a different case - far more variable and far more often
tweaked to suit the owner. IPFW2 defaults to 4096 dynamic rules and
defaults to a 5 minute timeout (it also supports its own keepalive
generation). IPfilter defaults to a 120 hour timeout. Our corporate
firewall at $work times out after about a minute. Again - none of
these match your '1 hour' statement.
> A session which is idle for more
>than an hour can't be considered to be active.
This depends on what you consider active. I manage one firewall-like
device at work where access to services through the device is
controlled be the presence of a specific TCP connection (ie, the user
sets up a TCP connection to an app on the box and that app then allows
that user to have access to other services mediated by that box whilst
that connection remains established). In this case, once the initial
authentication phase is complete, the control connection never carries
any further application-level data but its continued presence is
required (and monitored via TCP-level keepalives).
--
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20090327/74935a34/attachment.pgp
More information about the freebsd-net
mailing list