> > Then in my ipf.rules: > > > > pass in quick on fxp1 idle 604800 proto tcp from any to 192.168.1.0/24 port = 22 > > flags S keep state keep frags > > > > Or am I missing an undocumented feature? > > Yes. It's called "state-age". However it is not allowed with tcp (since > that protocol has to many timers involved).
Hrm, okay. Without the ability to send out periodic keep alives to refresh the TCP connection, how is it possible for ipf to maintain open SSH sessions to servers that generally serve www traffic and should have a short state-age/ttl/default life time in the state table? -sc -- Sean Chittenden
