Hello!
In message to <[email protected]> sent Tue, 14 Jun 2005 20:43:46
+0300 (EEST) you wrote:
MK> Please note that I want to have the lifetime 120 hrs for established
MK> connectons but non-established should go away quite fast (say 10
MK> minutes). Is this possible with IPF?
Yes, it is possible. You can use system tunables to accomplish that.
For example under Free BSD:
# sysctl net.inet.ipf
net.inet.ipf.fr_flags: 0
net.inet.ipf.fr_pass: 513
net.inet.ipf.fr_active: 0
net.inet.ipf.fr_tcpidletimeout: 36000
net.inet.ipf.fr_tcpclosewait: 480
net.inet.ipf.fr_tcplastack: 480
net.inet.ipf.fr_tcptimeout: 480
net.inet.ipf.fr_tcpclosed: 120
net.inet.ipf.fr_tcphalfclosed: 7200
net.inet.ipf.fr_udptimeout: 240
net.inet.ipf.fr_udpacktimeout: 240
net.inet.ipf.fr_icmptimeout: 120
net.inet.ipf.fr_icmpacktimeout: 12
net.inet.ipf.fr_defnatage: 1200
net.inet.ipf.fr_ipfrttl: 120
net.inet.ipf.ipl_unreach: 13
net.inet.ipf.fr_running: 1
net.inet.ipf.fr_authsize: 32
net.inet.ipf.fr_authused: 0
net.inet.ipf.fr_defaultauthage: 600
net.inet.ipf.fr_chksrc: 0
net.inet.ipf.ippr_ftp_pasvonly: 0
net.inet.ipf.fr_minttl: 3
net.inet.ipf.fr_minttllog: 1
One unit when defining times means half a second so for example 7200 means
one hour.
I don't know if that "half a second" is Free BSD specific or not.
------------------------------------------
Slawomir Piotrowski / Telsat GP
Systemy Rejestracji Czasu Pracy i Kontroli Dostepu
http://www.ewidencja-czasu-pracy.pl
------------------------------------------
