On 10/08/2011 8:17 PM, Michael T. Davis wrote: > I'm trying to understand what connections there are, if any, between > the values you can set for the age parameter on ipf.conf rules you're using to > keep state (i.e. "... age fwd-secs[/rev-secs]") and the various fr_*time* > kernel variables. These are the values of the IPF kernel variables on my > "stock" NetBSD 5.1 (release) i386 system, per `ipf -T list|grep time'... > > fr_tcpidletimeout min 0x1 max 0x7fffffff current 864000 > fr_tcptimeout min 0x1 max 0x7fffffff current 480 > fr_tcptimewait min 0x1 max 0x7fffffff current 480 > fr_udptimeout min 0x1 max 0x7fffffff current 240 > fr_udpacktimeout min 0x1 max 0x7fffffff current 24 > fr_icmptimeout min 0x1 max 0x7fffffff current 120 > fr_icmpacktimeout min 0x1 max 0x7fffffff current 12 > fr_iptimeout min 0x1 max 0x7fffffff current 120 > > Presumably, there's some form of mapping between these variables and > use of the value(s) for the age parameter that go something like this: > > ...proto tcp...keep state...age... -> fr_tcp* > > ...proto udp...keep state...age... -> fr_udp* > > ...proto icmp...keep state...age... -> fr_icmp* > > (any other IP-based packet)...age... -> fr_iptimeout > > (Related to the last item, can IPFilter [v4.1.29, in particular] actually keep > state for anything other than TCP, UDP, and/or ICMP?) Anyway, I would > appreciate it if someone might clarify this and/or correct it if I'm > completely > off-base. Also, are all these values expressed in terms of seconds?
The value that you use in the rule will replace those from above with a matching name, as you've rightly guessed. Darren
