Subject: Re: ipf and state timeout
To: Emmanuel Dreyfus <firstname.lastname@example.org>
From: Andrew Brown <email@example.com>
Date: 10/30/2001 16:03:08
>> > >From /sys/netinet/ip_state.c, I ca nsee that the default timeout for
>> > entries in the state table is 5 days. This souns incredibly long to me.
>> > Is there any drawback to lower this? Why has it been chosen so long?
>> What's the longest a telnet/ssh/rlogin window has been open but idle on
>> your desktop ?
>Ok, I understand better.
>Are the entry properly removed when the connection is finished? The
>table seems to be stabilized with about 19000 entries (no typo), and it
>seems quite big to me.
if you look at the output of ipnat -lv, you can see the "age" of the
entry which gradually counts down to zero. when a tcp connection is
closed down (the fin/finack/ack exchange is completed), the "age" for
a tcp entry in the nat table is dropped to five minutes. it is not
removed entirely due to the 2msl timeout required by tcp before a
given connection can be reused. after the five minutes expires, the
entry is removed completely.
|-----< "CODE WARRIOR" >-----|
firstname.lastname@example.org * "ah! i see you have the internet
email@example.com (Andrew Brown) that goes *ping*!"
firstname.lastname@example.org * "information is power -- share the wealth."