[ previous ] [ next ] [ threads ]
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: known issues with 1.2b3
 Date:  Fri, 04 Feb 2005 04:09:10 -0500
Manuel Kasper wrote:

> I can't comment about the other issues, but here's something:
> On 04.02.2005 03:36 -0500, Jesse Guardiani wrote:
>> 3.) TCP/IP connection drops
>>         My SSH connections die after about 2 hours
>>         under 1.2b3. I don't think this used to happen
>>         under 1.11. Someone else confirmed that this
>>         happens to them too. The connection isn't
>>         denied. It seems like it times out.
> That's because as of 1.2b2, the TCP idle timeout for the firewall is
> 2.5 hours instead of the ipfilter default of 10 days (!) to keep the
> state table from filling up with dead connections. This value can be
> modified on the advanced setup page, though it is not recommended to
> do that. So of course if your SSH connection doesn't transfer a
> single byte for two hours, the ipfilter state table entry is deleted
> and the connection breaks. Try turning on keep-alive in your SSH
> client.
> BTW, some commercial firewalls come with a default timeout of 5
> minutes!

OK. Fair enough. I just read the sshd_config man page, and while
TCPKeepAlive is on by default, ClientAliveInterval is 0 by default,
meaning that no keep alives will be sent. I must have missed that
before. I thought they were already on by default. Scratch #3.


Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)