Since ipf doesn't send keep alives to refresh its connections and on
our Intranet server that gets modest www traffic, how can I run with
reasonably low/sane TTLs for most of our rules, but have a different
TTL for ssh traffic? The documentation suggests that I can do this:
filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
[ proto ] [ ip ] [ group ].
ttl = "ttl" decnumber .
But in practice, I think that the feature is unable to correctly
identify a valid number when it sees one.
>From ipf.rules:
pass in quick on fxp1 ttl 604800 proto tcp from any to 192.168.1.0/24 port = 22 flags
S keep state keep frags
# ipf -Fa -f /etc/ipf.rules
693: invalid ttl (604800)
:-/ One would think that 604800 would qualify as a decnumber. Am I
missing something or is this a documented non-feature?
-sc
--
Sean Chittenden
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
