On Sun, 6 Feb 2005, Fred Wright wrote:
> On Fri, 4 Feb 2005, Jesse Guardiani wrote:
> > Manuel Kasper wrote:
> > > I can't comment about the other issues, but here's something:
> > >
> > > On 04.02.2005 03:36 -0500, Jesse Guardiani wrote:
> > >
> > >> 3.) TCP/IP connection drops
> > >> My SSH connections die after about 2 hours
> > >> under 1.2b3. I don't think this used to happen
> > >> under 1.11. Someone else confirmed that this
> > >> happens to them too. The connection isn't
> > >> denied. It seems like it times out.
> > >
> > > That's because as of 1.2b2, the TCP idle timeout for the firewall is
> > > 2.5 hours instead of the ipfilter default of 10 days (!) to keep the
> Why "(!)"? I've sometimes kept remote console sessions up for days at a
> time. :-)
One problem in this area is confusion about the units of the IPFilter
timeouts. Those are in units of *half-seconds*, not seconds. Thus:
1) The "10-day" timeout was really only a 5-day timeout (as noted in the
comment in the source).
2) The new "2.5-hour" timeout is really only 1.25 hours. With endpoint
systems like FreeBSD where the default idle interval to trigger TCP
keepalives is 2 hours, clearly the keepalives aren't adequate to maintain
3) Any value entered on the "Advanced Options" page needs to be specified
in half-second units.
4) The other miscellaneous timeout changes are similarly not as intended.