On Wed, Aug 27, 2003 at 01:25:19AM -0700, Sean Chittenden wrote: > Hrm, okay. Without the ability to send out periodic keep alives to > refresh the TCP connection, how is it possible for ipf to maintain > open SSH sessions to servers that generally serve www traffic and > should have a short state-age/ttl/default life time in the state > table? -sc
ipf tracks tcp connection and thus knows when a connection is finished (both ends have sent FINs). For each state, a different timeout is used. If you're using a BSD, you can see these with sysctl: net.inet.ipf.fr_tcpidletimeout: 864000 net.inet.ipf.fr_tcpclosewait: 480 net.inet.ipf.fr_tcplastack: 480 net.inet.ipf.fr_tcptimeout: 480 net.inet.ipf.fr_tcpclosed: 120 net.inet.ipf.fr_tcphalfclosed: 14400 -Guido
