I'm trying to understand what connections there are, if any, between
the values you can set for the age parameter on ipf.conf rules you're using to
keep state (i.e. "... age fwd-secs[/rev-secs]") and the various fr_*time*
kernel variables. These are the values of the IPF kernel variables on my
"stock" NetBSD 5.1 (release) i386 system, per `ipf -T list|grep time'...
fr_tcpidletimeout min 0x1 max 0x7fffffff current 864000
fr_tcptimeout min 0x1 max 0x7fffffff current 480
fr_tcptimewait min 0x1 max 0x7fffffff current 480
fr_udptimeout min 0x1 max 0x7fffffff current 240
fr_udpacktimeout min 0x1 max 0x7fffffff current 24
fr_icmptimeout min 0x1 max 0x7fffffff current 120
fr_icmpacktimeout min 0x1 max 0x7fffffff current 12
fr_iptimeout min 0x1 max 0x7fffffff current 120
Presumably, there's some form of mapping between these variables and
use of the value(s) for the age parameter that go something like this:
...proto tcp...keep state...age... -> fr_tcp*
...proto udp...keep state...age... -> fr_udp*
...proto icmp...keep state...age... -> fr_icmp*
(any other IP-based packet)...age... -> fr_iptimeout
(Related to the last item, can IPFilter [v4.1.29, in particular] actually keep
state for anything other than TCP, UDP, and/or ICMP?) Anyway, I would
appreciate it if someone might clarify this and/or correct it if I'm completely
off-base. Also, are all these values expressed in terms of seconds?
Thanks,
Mike
