Categories: Top ::

Tech: How to stay in IRC, or How I made TCP/IP not get timed out by a firewall
Sun, 31 Jul 2005

Changing core LAN components always leads to a time of discovery, though fortunately I've had very good luck and things have more or less 'just worked' (excepting new problems that showed up on their own, like machines failing etc. :) One thing thats been niggling me is that idle IRC sessions have been getting hung up on. This sort of thing usually screams 'bored firewall reaping its connection table' and I've experienced it numerous times at work and home -- a long lasting Oracle connection mid-query or an ssh session running a job that doesn't emit output until completion will spontaneously be killed. Most people just background a job and fire up 'iostat 1' or 'top' to keep things busy, but thats both 'userland' and dirty an approach..

(I wonder if these tips are useful to anyone? Really, I've been posting them as reminders to myself really, but also in hopes someone may stumble across these when in need :)

Anyway, in my case, the firewall is this new linksys firewall/router and it features no settings to specify the timeout duration. (And really, shouldn't it reap the internal tables when memory is tight, and not as a preventative measure?) For ssh sessions to work (et al), I've just used ssh-level keepalive settings, but now that I realize IRC and other straight-TCP applications are being hit.. its time to get serious.

Altering settings for all TCP connections (to set a higher keepalive timer to prevent the connection timeout for instance) is done at the OS level and as such varies for every machine pretty much; for Windows, I imagine you'll need a tool or perhaps can dig around in the registry somewhere (though how would defaults get into the registry?..) For modern homebrew Unixes, life is easier.

For FreeBSD you simply need to set a kernel variable. Its been some time so it took me awhile to remember how to do so and to find the variable to query and set, but here you go..

Query TCP "keepalive" setting: /sbin/sysctl net.inet.tcp.keepintvl
Set it to 30 mins instead of the default almost-a-day: /sbin/sysctl net.inet.tcp.keepintvl=1800

For Linux its a similar command but with a different variable:

Query: sysctl net/ipv4/tcp_keepalive_time
Set: sysctl net/ipv4/tcp_keepalive_time=1800

I imagine you can do some magic with echo or cat to feed values into the proc filesystem, but I often have it unmounted and further.. I've no idea where to look in there (yet.. :)

I simply popped this into /etc/rc.local (or equivalent) so the command would be invoked at boot time, to set things right.

Ah, noodling around the 'jail' documentation found me this useful tidbit: Rather than call sysctl to set a value, you can just edit the /etc/sysctl.conf file. Cool.

[ Category: / technology / bsd ] [link] [Comments]