Interesting day.
First I had a laptop that couldn't maintain an ssl connection to postgres off site when left idle for a time. TCP 5432
I found the DENY logs and I ended up setting these sysctl settings on the IPFW firewall for our network. It seems to have solved the problem for now:
# allows state table to persist through a firewall restart
net.inet.ip.fw.dyn_keep_states=1
# sets idle lifetime to one hour
net.inet.ip.fw.dyn_ack_lifetime=3600
I'm not sure that is the correct fix though.
Plus, later in the day a desktop dropped an L2TP connection a couple of times while in use(not idle). UDP 4500
I ran ipfw -D list (dump stateful rules) and there are blank lines. I never noticed those before. Is this normal or indicative of a problem? I would think rules that expire would be deleted, not overwritten with a blank line. But it could be.
Also, twice now, I run ipfw -D list, it doesn't list anything. But if i repeat the command it shows everything. is this a normal?
I'm going to assume the ipfw -D list issues are normal behavior for now.
The first question i had was, did it crash, but there doesn't seem to be anything in the logs and there is no process to check in top or ps because it is in-kernel.
UDP has no state so I don't think increasing net.inet.ip.fw.dyn_udp_lifetime: beyond the default ten seconds makes sense either.
any thoughts appreciated.
First I had a laptop that couldn't maintain an ssl connection to postgres off site when left idle for a time. TCP 5432
I found the DENY logs and I ended up setting these sysctl settings on the IPFW firewall for our network. It seems to have solved the problem for now:
# allows state table to persist through a firewall restart
net.inet.ip.fw.dyn_keep_states=1
# sets idle lifetime to one hour
net.inet.ip.fw.dyn_ack_lifetime=3600
I'm not sure that is the correct fix though.
Plus, later in the day a desktop dropped an L2TP connection a couple of times while in use(not idle). UDP 4500
I ran ipfw -D list (dump stateful rules) and there are blank lines. I never noticed those before. Is this normal or indicative of a problem? I would think rules that expire would be deleted, not overwritten with a blank line. But it could be.
Also, twice now, I run ipfw -D list, it doesn't list anything. But if i repeat the command it shows everything. is this a normal?
I'm going to assume the ipfw -D list issues are normal behavior for now.
The first question i had was, did it crash, but there doesn't seem to be anything in the logs and there is no process to check in top or ps because it is in-kernel.
UDP has no state so I don't think increasing net.inet.ip.fw.dyn_udp_lifetime: beyond the default ten seconds makes sense either.
any thoughts appreciated.