Since ipf doesn't send keep alives to refresh its connections and on
our Intranet server that gets modest www traffic, how can I run with
reasonably low/sane TTLs for most of our rules, but have a different
TTL for ssh traffic?  The documentation suggests that I can do this:

       filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
                  [ proto ] [ ip ] [ group ].
       ttl  = "ttl" decnumber .

But in practice, I think that the feature is unable to correctly
identify a valid number when it sees one.

>From ipf.rules:

pass in quick on fxp1 ttl 604800 proto tcp from any to 192.168.1.0/24 port = 22 flags 
S keep state keep frags

# ipf -Fa -f /etc/ipf.rules
693: invalid ttl (604800)

:-/ One would think that 604800 would qualify as a decnumber.  Am I
missing something or is this a documented non-feature?

-sc

-- 
Sean Chittenden
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to