Subject: Re: ipf and state timeout
To: Emmanuel Dreyfus <>
From: Andrew Brown <>
List: tech-net
Date: 10/30/2001 16:03:08
>> > >From /sys/netinet/ip_state.c, I ca nsee that the default timeout for
>> > entries in the state table is 5 days. This souns incredibly long to me.
>> > Is there any drawback to lower this? Why has it been chosen so long?
>> What's the longest a telnet/ssh/rlogin window has been open but idle on
>> your desktop ?
>Ok, I understand better.
>Are the entry properly removed when the connection is finished? The
>table seems to be stabilized with about 19000 entries (no typo), and it
>seems quite big to me.

if you look at the output of ipnat -lv, you can see the "age" of the
entry which gradually counts down to zero.  when a tcp connection is
closed down (the fin/finack/ack exchange is completed), the "age" for
a tcp entry in the nat table is dropped to five minutes.  it is not
removed entirely due to the 2msl timeout required by tcp before a
given connection can be reused.  after the five minutes expires, the
entry is removed completely.

|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."