|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: RE: log with dynamic firewall rules
From: Aaron D. Gifford (agifford
infowest.com)Date: Mon Jul 31 2000 - 13:50:23 CDT
- Next message: Nick Evans: "RE: ipf or ipfw (was: log with dynamic firewall rules)"
- Previous message: Bengt Richter: "Re: ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Regarding the mention of the various sysctl timeouts on dynamic rules,
I posted a patch to this list a week or two ago that added the ability
for an individual rule to override the default sysctl dynamic rule
lifetime on a rule-by-rule basis. It works great. I just do:
ipfw add 90 permit tcp from ${myip} to any 22 out setup keep-state lifetime 86400
The "lifetime 86400" extends the timeout for ONLY this rule past the
default 5 minutes (300 seconds) that the sysctl variable uses to a full
day. That gets rid of the annoying problems of frozen sessions because
I left it idle too long while still keeping the shorter default for
things like HTTP sessions where the default 300 seconds is plenty and
I really wouldn't want it increased.
Will the next version of ipfirewall have the ability to adjust timeouts
on a rule-by-rule basis? The 5-day timeout is fine and all for most
folks, but I would love the ability to shorten things on a case-by-case
basis where I know the TCP session in question should not be idle
that long.
Aaron out.
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Nick Evans: "RE: ipf or ipfw (was: log with dynamic firewall rules)"
- Previous message: Bengt Richter: "Re: ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]