Re: [ILUG] IPmasq and TCP keepalives

From: Fergal Daly (fergal at domain esatclear.ie)
Date: Tue 11 Jul 2000 - 14:09:44 IST

• Next message: Kenn Humborg: "RE: [ILUG] IPmasq and TCP keepalives"
• Previous message: Kenn Humborg: "RE: [ILUG] Re: IPmasq and TCP keepalives"
• In reply to: Kenn Humborg: "[ILUG] IPmasq and TCP keepalives"
• Next in thread: Kenn Humborg: "RE: [ILUG] IPmasq and TCP keepalives"
• Reply: Kenn Humborg: "RE: [ILUG] IPmasq and TCP keepalives"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

The rc.firewall that I took from the IP-Masq howto has this

# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
/sbin/ipchains -M -S 7200 10 160

which looks right in relation to your point, but I'm no expert,

Fergal

At 13:49 11/07/00, Kenn Humborg wrote:

>Here's an interesting snippet of information:
>
>In Linux 2.0.x, the default TCP keepalive was 15 mins.
>That meant that every 15 mins, the TCP stack would send
>a packet to the remote end of each connection, just to
>see if it was still there.
>
>In Linux 2.0.x, the default IP masquearading timeout for
>active TCP connections was 15 mins. So as long as there
>was traffic over the masqueraded connection every 15 mins,
>the masq entries would stay alive. (Setting this to 16 mins
>would probably have been a better idea, given the TCP
>keepalive of 15 mins. No matter...)
>
>In Linux 2.2.x, the default TCP keepalive interval was
>extended to 3 hours. So if you have a masqueaded connection
>from a 2.2 machine through a 2.0 masq box, you'll find
>that inactive connections get mysteriously dropped.
>
>I don't know what the default IP masq timeout is under 2.2,
>but if it is still 15 mins, then idle connections via a
>2.2 masq box will also be dropped.
>
>You'll need to tweak either or both of the IP masq timeout
>on the firewall and the TCP keepalive timer on the client:
>
>On linux 2.0.x set the IP masq timeout to just over 3 hours:
># ipfwadm -M -s 11000 0 0
>
>On linux 2.2.x, set the TCP keepalive timer to just under
>15 mins:
># echo 870 > /proc/sys/net/ipv4/tcp_keepalive_time
>
>As Kate would so eloquently say: mutter, mutter...
>
>Later,
>Kenn
>
>
>--
>Irish Linux Users' Group: ilug at domain linux.ie
>http://www.linux.ie/mailman/listinfo/ilug for (un)subscription information.
>List maintainer: listmaster at domain linux.ie

• Next message: Kenn Humborg: "RE: [ILUG] IPmasq and TCP keepalives"
• Previous message: Kenn Humborg: "RE: [ILUG] Re: IPmasq and TCP keepalives"
• In reply to: Kenn Humborg: "[ILUG] IPmasq and TCP keepalives"
• Next in thread: Kenn Humborg: "RE: [ILUG] IPmasq and TCP keepalives"
• Reply: Kenn Humborg: "RE: [ILUG] IPmasq and TCP keepalives"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:06:50 GMT