Emmanuel Dreyfus
2010-06-07 10:58:51 UTC
Hello
I upgraded a firewall to 5.0.2, and now IPfilter will break any connexion
that has been idle for more than between 30 and 150 seconds (I have
not yet measured the exact time it needs to kill).
ipfstat -t shows the connexion with a TTL for more than 119 hours,
and then it suddently dispaear, while no traffic has been exchanged
(I checked with tcpdump on both interfaces).
Is there a known problem? I wonder if this could not be because the
state table is full (I recall having to rebuild a kernel with some
option about that on the previous machine, but it was a very long
time ago, and I don't find the relevant options in the sources anymore)
Here is how many entries I have, I do not know if this is big or not:
# ipfstat -Rsl|grep ^[0-9]|wc -l
3697
I upgraded a firewall to 5.0.2, and now IPfilter will break any connexion
that has been idle for more than between 30 and 150 seconds (I have
not yet measured the exact time it needs to kill).
ipfstat -t shows the connexion with a TTL for more than 119 hours,
and then it suddently dispaear, while no traffic has been exchanged
(I checked with tcpdump on both interfaces).
Is there a known problem? I wonder if this could not be because the
state table is full (I recall having to rebuild a kernel with some
option about that on the previous machine, but it was a very long
time ago, and I don't find the relevant options in the sources anymore)
Here is how many entries I have, I do not know if this is big or not:
# ipfstat -Rsl|grep ^[0-9]|wc -l
3697
--
Emmanuel Dreyfus
***@netbsd.org
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Emmanuel Dreyfus
***@netbsd.org
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de