On Sun, 6 Feb 2005, Fred Wright wrote:
> On Fri, 4 Feb 2005, Jesse Guardiani wrote:
> > Manuel Kasper wrote:
> > 
> > > I can't comment about the other issues, but here's something:
> > > 
> > > On 04.02.2005 03:36 -0500, Jesse Guardiani wrote:
> > > 
> > >> 3.) TCP/IP connection drops
> > >>         My SSH connections die after about 2 hours
> > >>         under 1.2b3. I don't think this used to happen
> > >>         under 1.11. Someone else confirmed that this
> > >>         happens to them too. The connection isn't
> > >>         denied. It seems like it times out.
> > > 
> > > That's because as of 1.2b2, the TCP idle timeout for the firewall is
> > > 2.5 hours instead of the ipfilter default of 10 days (!) to keep the
> 
> Why "(!)"?  I've sometimes kept remote console sessions up for days at a
> time. :-)

One problem in this area is confusion about the units of the IPFilter
timeouts.  Those are in units of *half-seconds*, not seconds.  Thus:

1) The "10-day" timeout was really only a 5-day timeout (as noted in the
comment in the source).

2) The new "2.5-hour" timeout is really only 1.25 hours.  With endpoint
systems like FreeBSD where the default idle interval to trigger TCP
keepalives is 2 hours, clearly the keepalives aren't adequate to maintain
the state.

3) Any value entered on the "Advanced Options" page needs to be specified
in half-second units.

4) The other miscellaneous timeout changes are similarly not as intended.

					Fred Wright