From luigi@info.iet.unipi.it  Thu Jul  5 04:56:44 2001
Return-Path: <luigi@info.iet.unipi.it>
Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184])
	by hub.freebsd.org (Postfix) with ESMTP id 16D5837B403
	for <FreeBSD-gnats-submit@FreeBSD.ORG>; Thu,  5 Jul 2001 04:56:43 -0700 (PDT)
	(envelope-from luigi@info.iet.unipi.it)
Received: (from luigi@localhost)
	by info.iet.unipi.it (8.9.3/8.9.3) id NAA67499;
	Thu, 5 Jul 2001 13:51:17 +0200 (CEST)
	(envelope-from luigi)
Message-Id: <200107051151.NAA67499@info.iet.unipi.it>
Date: Thu, 5 Jul 2001 13:51:17 +0200 (CEST)
From: Luigi Rizzo <luigi@info.iet.unipi.it>
To: Aaron Gifford <agifford@infowest.com>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
In-Reply-To: <20010705063619.A9A31210EC@ns1.infowest.com> from Aaron Gifford
 at "Jul 5, 2001 00:36:19 am"
Subject: Re: NEW IPFW FEATURE [PATCHES]: Dynamic rule expiration lifetime fine-grained
 control

>Number:         28718
>Category:       kern
>Synopsis:       Re: NEW IPFW FEATURE [PATCHES]: Dynamic rule expiration lifetime fine-grained
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 05 05:00:05 PDT 2001
>Closed-Date:    Sun Jul 22 08:02:00 PDT 2001
>Last-Modified:  Sun Jul 22 08:02:21 PDT 2001
>Originator:     
>Release:        
>Organization:
>Environment:
>Description:
 >   When using stateful ipfw rules, the dynamic rule expiration times
 >   are governed by the values of the net.inet.ip.fw.dyn_*_lifetime
 >   variables.  This is an excellent attribute of the ipfw stateful
 
 It is actually just half of what is needed. In addition to the
 'lifetime', and to avoid early expiration for idle sessions, you'd
 need someone (maybe the firewall) to send around keepalives to
 probe the session.
 
 Your patch slightly improves the situation, but does not radically
 change it or solve the problem. You still need the firewall
 administrator to do a special configuration for your session, pick
 a timeout value (and what do you pick ? anything less than 24hrs
 is maybe not that significant for a session that you might forget
 idle and you want to find active the day after), and you need
 additional firewall rules to override the default for the specific
 sessions.
 
 This is why i do not consider this patch that urgent and i am not so
 inclinded to commit it.
 
 In cases like this, i'd rather suggest a better approach which is
 to raise the default to something larger (like 1-2hr) and set the
 keepalive interval on your client to a value that is shorter than
 the expire interval.
 
 The reason why a large timeout is not so problematic is that as soon
 as the firewall sees a FIN or a RST on one side, it reverts to
 using a much shorter timeout so in most cases, a regular or abortive
 shutdown of the connection will result in a quick expire of the rule.
 
 	cheers
 	luigi
 
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: dd 
Responsible-Changed-When: Fri Jul 6 06:19:15 PDT 2001 
Responsible-Changed-Why:  
misfiled 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28718 
State-Changed-From-To: open->closed 
State-Changed-By: dd 
State-Changed-When: Sun Jul 22 08:02:00 PDT 2001 
State-Changed-Why:  
followup to another pr 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28718 
>Unformatted:
  control
