Hello, we use iptables with SNAT and DNAT rules for an linux ipsec gateway with freeswan for roadwarriors connecting to a company network. When a roadwarrior initiates a new connection, we run a script on the gateway. This script takes a few ipaddresses and tries to find one, which is unused. We regard it as unused, when this address cannot be found in /proc/net/ip_conntrack. If there is an unused ipaddress we perform some iptable rules on this address. This works so far as expected. Unfortunately in this scenario it happens, that connections are terminated unexpectedly, so that some sessions are not cleanly finished. In /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c the timeout for such sessions is hard coded to 5 days :-( . Therefore I have to reserve lots if ipaddresses just to bypass the time, till the timeout is over. Although it is possible to change this value and recompile the kernel, I would like to know the following: Is it possible to change the timeout on the fly via an entry in the /proc filesystem or by any other means?
Thanks for an answer. Norbert Wegener -- Norbert Wegener Phone:(49)2012661379 Fax:(49)2012661377 SBS Essen,Germany Mail: [EMAIL PROTECTED] Mailfax:(49)201816399018 CA Cert: http://w4.siemens.de/de2/flash/digital_id/digital_id.html
smime.p7s
Description: S/MIME Cryptographic Signature
