tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: IPfilter NAT and stalled TCP connexions
On 30 Mar 2010, at 00:00 , Michael Graff wrote:
On 3/26/10 9:31 AM, Chuck Swiger wrote:
>> Unless NetBSD has "sysctl net.inet.ip.ttl" set to less than 60, that low of
>> a timeout can be expected to be too short. In fact, I'd suggest that
>> setting NAT timeouts to a minimum of least 5 minutes due to:
>
> I don't think that sysctl is really a "time to live" in seconds as much
> as the badly named IP header TTL value, which is decremented on each
> forward through a router. It's loop prevention not NAT related.
It wasn't badly named when it was named, and the field wasn't just
for loop protection. Originally routers were required to decrement
the ttl by 1 for each second they held a packet, rounded up, with
the purpose being to protect TCP against (theoretical) corruption
from very-late-arriving segments. It was only later (RFC 1812) that
this behaviour was made optional, given that no almost routers had
implemented the time-based decrement and no TCP problems had ever been
observed in practice.
It is true, however, that this value has nothing to do with NAT.
Dennis Ferguson
Home |
Main Index |
Thread Index |
Old Index