> > it's interesting to note that in src/sys/netinet/ip_state.c, there is
> > a line that says
> >
> > #define FIVE_DAYS       (2 * 5 * 86400) /* 5 days: half closed session */
> >
> > although 2 * 5 * 86400 is clearly ten days.  anyway, you can find the
> > rest of the default timesouts in that file.

ip_nat.c::natexpire() makes it clear that these are in 2Hz ticks, so 5
days is indeed correct.

> >
> SO LONG timeouts?!

*any* idle timeout in a NAT may result in spuriously dropped
connections.

						- Bill