Daniel Hartmeier <[EMAIL PROTECTED]> writes: > Try lowering the tcp.closed timeout for these state entries, so the > first state is removed earlier. The default is 90 seconds (so late > packets are associated with the state entry for 90 seconds after the > connection has been closed). You can reduce that to, say, 3 seconds, so > the state entry is removed and a second connection will create a new > state and work properly if it is created at least 3 seconds after the > first one is closed.
This work better, it still hang, but it works better. Thanks > > You can set the timeout in a particular rule, so only states created > from that rule will have lowered timeouts: > > pass proto tcp from port 514 to port 514 keep state (tcp.closed 3) the from port 514 port is not right for the source port from what i can see the rsh linux implementation starts at 1022 then 1023. The rsh irix implementation seems to be between 514 and 1023 for the client source port. Btw, i got the rsh source from gnu.org and even if it is said on the web site that it comes from bsd. It still behave the same (after compilation) as the debian/redhat package. Something changed in the rsh code when it went gnu .. > > Note that timeouts are only checked (and timed out state entries > removed) in intervals (default is 10 seconds, see pfctl -st). If you > are using timeouts near or below that interval, you might want to lower > the interval, too, to get enough precision. With tcp.closed 3 and > interval 10, the state removal might occur as late as 13 seconds after > the connection is closed. > > Just curious, what does that rsh client do if you try to run multiple > concurrent rsh sessions to the same destination? It can't possibly use > source port 514 for more than one connection (to the same destination > address and port) at the same time. That wouldn't just confuse pf, but > also the receiver (it wouldn't work even if you disable pf). Works the same when I connect multiple client from same src/dest ip. It just hang sometimes but works better with the tcp.closed set to 3 While it is not perfect as a solution we will migrate all rsh client/server to ssh and move all script that use that technology. Thanks -- Loïc
