[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: PF Timeout and optimization warning
From:       Calomel <bsdlists () calomel ! org>
Date:       2007-10-26 18:42:18
Message-ID: 20071026184218.GA26044 () calomel ! org
[Download RAW message or body]

Rmkml,

If you have any custom timeouts always set them after you declair
the optimization directive. Otherwise the timeouts will be overwritten like
you noticed.

# Timeout Examples
 set optimization aggressive
 set timeout { frag 10, tcp.established 3600 }
 set timeout { tcp.first 30, tcp.closing 30, tcp.closed 30, tcp.finwait 30 }
 set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
 set timeout { other.first 30, other.single 30, other.multiple 30 }
 set timeout { adaptive.start 5000, adaptive.end 10000 }

--
 Calomel @ http://calomel.org

On Thu, Oct 25, 2007 at 05:26:27PM +0200, rmkml wrote:
>Hi,
>just warn if you use Timeout and optimization on PF,
>
>ok first example on pf.conf :
> set timeout tcp.established 86399
> #set optimization normal#Without set optimization * !!!
>and pfctl -s timeout|grep established
> tcp.established           86399s
>
>ok second example and Warning on pf.conf :
> set timeout tcp.established 86399
> set optimization normal
>and pfctl -s timeout|grep established
> tcp.established           86400s
>
>ok third example and Warning on pf.conf :
> set timeout tcp.established 86399
> set optimization aggressive
>and pfctl -s timeout|grep established
> tcp.established           18000s
>..
>
>Warn because set timeout *.* param are not used if you use "set 
>optimization *".
>maybe add warning if "set timeout *" and "set optimization *" ?
>Best Regards
>Rmkml
[prev in list] [next in list] [prev in thread] [next in thread]