On Tue, Oct 04, 2005 at 02:29:21PM +0700, Olivier Nicole wrote: > Hello, > > Is there a specific timeout for ipnat active entries? > > I'd like those to expire *fast*, much fasterthan the 300 secondz or so.
You can set a sysctl: net.inet.ipf.fr_defnatage, or you can specify the timeout using the age keyword. use age aaa/bbb IIRC, aaa is when the NAT entry times out after aaa ticks when no return traffic is seen, and bbb ticks when return traffic is seen. -Guido
