Since ipf doesn't send keep alives to refresh its connections
(something that would be very nice to have) and on our Intranet server
that gets modest www traffic, how can I run with reasonably low/sane
TTLs for most of our rules, but have a different TTLs for ssh traffic?
The documentation suggests that I can do this:
filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
[ proto ] [ ip ] [ group ].
ttl = "ttl" decnumber .
ttl packets may also be selected by their Time-To-Live
value. The value given in the filter rule must
exactly match that in the packet for a match to
occur. This value can only be given as a decimal
integer value.
But as I have since discovered, this ttl is a packet hop count ttl,
not a time to live/timout value for rules (how ipfstat -t displays the
default life of a rule). What I'd really like to be able to do is
something like for the general case:
sysctl net.inet.ipf.fr_tcpidletimeout=7200
Then in my ipf.rules:
pass in quick on fxp1 idle 604800 proto tcp from any to 192.168.1.0/24 port = 22 flags
S keep state keep frags
Or am I missing an undocumented feature?
-sc
--
Sean Chittenden
