session timeout

Thu, 03 Feb 2005 23:16:57 -0800

I'm experiencing a very annoying session timeout issue. Its most often noticed when sshing to a host behind the firewall from off site. It doesn't seem to happen when the connection is initiated from another internal network, but that could be due to some bi-directional pass rules.
In any case, a ssh connection from outside to the DMZ will timeout after 5-10 minutes if idle.

In general my setup is like this:

8 Gb Intel NICs
- 2 external (builtin to mobo)
- 6 internal (dual port PCI-X cards)

Xeon processor and 2 GB RAM

OpenBSD 3.5
I've upped the nmbuffs on the kernel but that's about it for kernel mods.

I use several altq queues, nat (and rdr) route-to (to route certain ips through a dedicated Internet connection). I have 5 Internal Zones and a DMZ.
Most of the rules (I can't paste them here) are standard pass in ... keep state. The default rule (or rule 0) is block in all.

I use set opimization conservative and have just recently (since the problem was noticed) commented out my #set timeout { tcp.first 120, tcp.opening 120, tcp.established 28800 }.
i use set block-policy drop and
scrub in all
I also use an antispoof on lo0 and the following generic rules.
block in log quick on {$ext_if,$co1_if} proto tcp from any to any flags /S
block in log quick on {$ext_if,$co1_if} proto tcp from any to any flags /SFRA
block in log quick on {$ext_if,$co1_if} proto tcp from any to any flags /SFRAU
block in log quick on {$ext_if,$co1_if} proto tcp from any to any flags A/A
block in log quick on {$ext_if,$co1_if} proto tcp from any to any flags F/SFRA
block in log quick on {$ext_if,$co1_if} proto tcp from any to any flags U/SFRAU
block in log quick on {$ext_if,$co1_if} proto tcp from any to any flags SF/SF
block in log quick on {$ext_if,$co1_if} proto tcp from any to any flags SF/SFRA
block in log quick on {$ext_if,$co1_if} proto tcp from any to any flags SR/SR
block in log quick on {$ext_if,$co1_if} proto tcp from any to any flags FUP/FUP
block in log quick on {$ext_if,$co1_if} proto tcp from any to any flags FUP/SFRAUPEW
block in log quick on {$ext_if,$co1_if} proto tcp from any to any flags SFRAU/SFRAU
block in log quick on {$ext_if,$co1_if} proto tcp from any to any flags SFRAUP/SFRAUP
block in log quick on {$ext_if,$co1_if} from { <RFC1918> } to any
block out log quick on {$ext_if,$co1_if} from any to { <RFC1918> }

If I've missed any information, please let me know.

Thanks
-=Tucker

Reply via email to