Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPF 4.1.29 problems

On Mon, Oct 20, 2008 at 02:44:08PM +0300, Martti Kuparinen wrote:
> Hi,
> I'm having weird problems on NetBSD 4.99.x where my TCP-sessions simply 
> stop working without anything in the logs.  After checking the state table, 
> it appears that the state entry is removed from the kernel so this explains 
> why session dies. The working TCP session seems to have a 120 hrs time-out 
> but my sessions die sometimes even after 10 minutes.
> Anyone else having problems with IPF?

Yes, I've also noticed this. Some states are not removed when they should
(the connection is properly terminated, e.g. http connections),
some are timed out way too fast.
My workaround is to use the 'age' keyword, with different timeouts for
ssh and others:
map pppoe0 from to any port = 22 -> portmap tcp/udp 
10000:40000 age 7300 mssclamp 1452
map pppoe0 -> portmap tcp/udp 10000:40000 age 900 
mssclamp 1452

Manuel Bouyer, LIP6, Universite Paris VI.  
     NetBSD: 26 ans d'experience feront toujours la difference

Home | Main Index | Thread Index | Old Index