Since ipf doesn't send keep alives to refresh its connections and on our Intranet server that gets modest www traffic, how can I run with reasonably low/sane TTLs for most of our rules, but have a different TTL for ssh traffic? The documentation suggests that I can do this:
filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ] [ proto ] [ ip ] [ group ]. ttl = "ttl" decnumber . But in practice, I think that the feature is unable to correctly identify a valid number when it sees one. >From ipf.rules: pass in quick on fxp1 ttl 604800 proto tcp from any to 192.168.1.0/24 port = 22 flags S keep state keep frags # ipf -Fa -f /etc/ipf.rules 693: invalid ttl (604800) :-/ One would think that 604800 would qualify as a decnumber. Am I missing something or is this a documented non-feature? -sc -- Sean Chittenden _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"