Try this:
# ipfwadm -M -s 14400 60 300
- 14400 (14400 secs or 4 hrs for TCP con nections)
- 60 (1 minute for TCPFIN )
- 300 (5 minutes for UDP connections)
or if you are using ipchains:
# ipchains -M -S 14400 60 300
Change the settings to fit your needs. Good Luck!!!
"Martin J. Bligh" wrote:
> I can't find anything in the FAQ on timeouts, so ....
>
> I set up a connection (IMAP) from my internal machine (titus),
> via the Linux masquerading firewall (gormenghast), to the
> imap server (crg8) on the internet. After 15 minutes of inactivity,
> the connection dies. (BTW, 2.2.9 kernel).
>
> It seems that a masq entry that's unused for 15 minutes
> expires from the list. If this is an open TCP connection,
> this is fatal. Why are these set to expire, and especially
> after just 15 minutes of inactivity? Seems odd ... I would
> have thought he connection would stay open until it sees
> a FIN in one direction, or the other ... perhaps a 24 hour
> timeout might be useful to clean up debris, but ...
>
> How do I fix this?
>
> Thanks,
>
> Martin
>
> ---------------------------------------------------------------------------
> -----------------------
> details:
>
> A combination of tcpdump logs and ipchains -L -M reveals:
> (I kept the full logs somewhere, in case I need them again ...)
>
> 22:07:47 connection initialised from titus.1258 to crg8.63143
> creates an entry in the masq tables:
> TCP 14:59.96 titus crg8 1258 (61132) -> 63143
> yabbers away happily for a while on this socket, until ...
>
> 22:07:54.130000 crg8.63143 > titus.1258: P 15495:16272(777) ack 143 win
> 16384 (DF)
> 22:07:54.130000 titus.1258 > crg8.63143: . ack 16272 win 7983 (DF)
> *** NO FINs are sent! Connection is left open ... ***
>
> 22:07:54.150000 SYN packet sent from titus.1259 to crg8.63143
> creates an entry in the masq tables:
> TCP 14:59.80 titus crg8 1259 (61133) -> 63143
> (I think this is IMAP's second connection for the INBOX
> read, as opposed to the first one, which was the main
> control connection, and stays open).
>
> The 1259 (61133) connection is used once a minute, and stays
> alive ... but the 1258 (61132) connection isn't being used, and
> 15 minutes exactly after the last transmission ...
>
> 22:22:54 the counter for the masq tables entry for 1258 (61132)
> has counted down from 15:00 all the way to 00:00, and expires.
>
> 22:32:55 the IMAP client decides to push some more data from
> port 1258, but gets a reset back for it's trouble ...
>
> 22:32:55.110000 titus.1258 > crg8.63143: P 143:156(13) ack 16272 win 7983
> (DF)
>
> at this point, masq has no entry for 1258, so creates a new one ...
> TCP 00:09.56 titus crg8 1258 (61134) -> 63143
> of course, this is no use, as it doesn't have the same port number
> from the firewall, so the server crg8 has no record of it ....
>
> 22:32:55.220000 crg8.63143 > titus.1258: R 1035929473:1035929473(0) win
> 16384
>
> at this point the IMAP client duly explodes into tiny pieces .....
>
> _______________________________________________
> Masq maillist - [EMAIL PROTECTED]
> http://tiffany.indyramp.com/mailman/listinfo/masq
> Admin requests can be handled by web (above) or [EMAIL PROTECTED]
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or [EMAIL PROTECTED]
