Re: IPfilter NAT and stalled TCP connexions

To: Emmanuel Dreyfus <manu%netbsd.org@localhost>
Subject: Re: IPfilter NAT and stalled TCP connexions
From: Chuck Swiger <cswiger%mac.com@localhost>
Date: Fri, 26 Mar 2010 07:31:14 -0700

On Mar 26, 2010, at 7:01 AM, Emmanuel Dreyfus wrote:
> A[s] I understand, 1 minute is the default on NetBSD.
> 
> src/sys/dist/ipf/netinet/ip_nat.c:
>        fr_defnatipage = 120,           /* 60 seconds */

Unless NetBSD has "sysctl net.inet.ip.ttl" set to less than 60, that low of a 
timeout can be expected to be too short.  In fact, I'd suggest that setting NAT 
timeouts to a minimum of least 5 minutes due to:

% grep -i MAXTTL /usr/include/netinet/ip.h
#define MAXTTL          255             /* maximum time to live (seconds) */

...to avoid making assumptions about which platforms are involved.  And if you 
want TCP keepalives to work for things like idle SSH connections, one should 
consider adjusting the default timeout for NAT to something greater than 
"sysctl net.inet.tcp.keepidle".

Regards,
-- 
-Chuck

Follow-Ups:
- Re: IPfilter NAT and stalled TCP connexions
  - From: Michael Graff

References:
- IPfilter NAT and stalled TCP connexions
  - From: Emmanuel Dreyfus
- Re: IPfilter NAT and stalled TCP connexions
  - From: Greg Troxel
- Re: IPfilter NAT and stalled TCP connexions
  - From: Steven Bellovin
- Re: IPfilter NAT and stalled TCP connexions
  - From: Emmanuel Dreyfus

Prev by Date: Re: IPfilter NAT and stalled TCP connexions
Next by Date: Re: IPfilter NAT and stalled TCP connexions
Previous by Thread: Re: IPfilter NAT and stalled TCP connexions
Next by Thread: Re: IPfilter NAT and stalled TCP connexions
Indexes:

Home | Main Index | Thread Index | Old Index