On Wed, 8 Jun 2005, Mogens Valentin wrote:
WRT ssh, on the sshd side of things, for protocol 2 at least,
ClientAliveInterval/ClientAliveCountMax can easily keep that ssh session open
over the weekend.
So can enabling TCP keep-alives.
Works well for me with a 10 min conntrack timeout, no probs with any other
services for weeks now. Saves a lot of entries in the table.
10 mins is a bit too agressive. Which this please make absolutely sure you
RST unknown traffic rather than dropping it regardless of from where it is
seen. If not you risk causing a bit of trouble to various servers by their
client connections suddenly going numb..
However, I'd still like to know which other normally occuring TCP stuff needs
such a looong establishment.
Any protocol supporting long idle phases. The obvious ones is the
interactive protocols
Telnet
SSH
rsh/rlogin
ftp
etc
But when talking as short timeouts as 10 minutes you also have to worry
about very many other protocols
Various SQL/ODBC protocols
HTTP/HTTPS in combination with certain applicaitons
NFS
SMB
etc. And depending on your situation some of these may well belong to the
first category above requiring very long established timeouts.
Regards
Henrik
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
