IPv6
0 views
Skip to first unread message
Jos Chrispijn
Jun 20, 2024, 1:56:15 PM (10 days ago) Jun 20
to FreeBSD Mailing List
Running FreeBSD 13.3-RELEASE-p1
If no data has been exchanged via a TCP connection for 15 minutes, or if no data has been exchanged via a UDP connection for 5 minutes,
my FRITZ!Box router automatically removes the connection(s) in question from the NAT table ( "NAT Timeout"). This will close all ports used by these connections and disconnect the application (read in this case: FreeBSD) from the Internet. According to the manufacturer 'to ensures the security of devices in the router's home network and to prevent performance losses during Internet access.
This forces me into running an 'IPv6 stay alive' script every 30 minutes in order to be available for incoming IPv6 connections. Is there a way to use FreeBSD in a more smooth way to tackle this or does the manufacturer AVM need to include this functionallity into their hardware?
Thanks, Jos
If no data has been exchanged via a TCP connection for 15 minutes, or if no data has been exchanged via a UDP connection for 5 minutes,
my FRITZ!Box router automatically removes the connection(s) in question from the NAT table ( "NAT Timeout"). This will close all ports used by these connections and disconnect the application (read in this case: FreeBSD) from the Internet. According to the manufacturer 'to ensures the security of devices in the router's home network and to prevent performance losses during Internet access.
This forces me into running an 'IPv6 stay alive' script every 30 minutes in order to be available for incoming IPv6 connections. Is there a way to use FreeBSD in a more smooth way to tackle this or does the manufacturer AVM need to include this functionallity into their hardware?
Thanks, Jos
Ralf Weber
Jun 21, 2024, 5:58:04 AM (9 days ago) Jun 21
to Jos Chrispijn, FreeBSD Mailing List
Moin!
On 20 Jun 2024, at 19:56, Jos Chrispijn wrote:
> Running FreeBSD 13.3-RELEASE-p1
> If no data has been exchanged via a TCP connection for 15 minutes, or if no data has been exchanged via a UDP connection for 5 minutes,
> my FRITZ!Box router automatically removes the connection(s) in question from the NAT table ( "NAT Timeout"). This will close all ports used by these connections and disconnect the application (read in this case: FreeBSD) from the Internet. According to the manufacturer 'to ensures the security of devices in the router's home network and to prevent performance losses during Internet access.
I’m a bit confused here, as for IPv6 you are not doing NAT, but the FritzBox and other home routers to have a state table for firewall connections that usually has a timeout value. I assume you mean this. In Freebsd if you have pf enabled you get this values with:
pfctl -st
In Linux (which oddly enough the FritzBox is based on) the following should help:
sysctl -a | grep conntrack
However the FritzBox AFAIK has no option to change these values.
> This forces me into running an 'IPv6 stay alive' script every 30 minutes in order to be available for incoming IPv6 connections. Is there a way to use FreeBSD in a more smooth way to tackle this or does the manufacturer AVM need to include this functionallity into their hardware?
This is a common problem with stateful firewalls and why most applications that use long live connection have is an in band keep alive mechanism. E.g for ssh you can put the following in ~/.ssh/config:
ServerAliveInterval 60
ServerAliveCountMax 60
Which will give you an hour without typing something on your keyboard for an ssh connection.
Hopefully that helps.
So long
-Ralf
——-
Ralf Weber
On 20 Jun 2024, at 19:56, Jos Chrispijn wrote:
> Running FreeBSD 13.3-RELEASE-p1
> If no data has been exchanged via a TCP connection for 15 minutes, or if no data has been exchanged via a UDP connection for 5 minutes,
> my FRITZ!Box router automatically removes the connection(s) in question from the NAT table ( "NAT Timeout"). This will close all ports used by these connections and disconnect the application (read in this case: FreeBSD) from the Internet. According to the manufacturer 'to ensures the security of devices in the router's home network and to prevent performance losses during Internet access.
pfctl -st
In Linux (which oddly enough the FritzBox is based on) the following should help:
sysctl -a | grep conntrack
However the FritzBox AFAIK has no option to change these values.
> This forces me into running an 'IPv6 stay alive' script every 30 minutes in order to be available for incoming IPv6 connections. Is there a way to use FreeBSD in a more smooth way to tackle this or does the manufacturer AVM need to include this functionallity into their hardware?
ServerAliveInterval 60
ServerAliveCountMax 60
Which will give you an hour without typing something on your keyboard for an ssh connection.
Hopefully that helps.
So long
-Ralf
——-
Ralf Weber
Kevin P. Neal
Jun 25, 2024, 8:52:33 PM (5 days ago) Jun 25
to Ralf Weber, FreeBSD Mailing List
On Fri, Jun 21, 2024 at 11:57:34AM +0200, Ralf Weber wrote:
> This is a common problem with stateful firewalls and why most applications that use long live connection have is an in band keep alive mechanism. E.g for ssh you can put the following in ~/.ssh/config:
>
> ServerAliveInterval 60
> ServerAliveCountMax 60
>
> Which will give you an hour without typing something on your keyboard for an ssh connection.
Wouldn't this actually mean the connection can be down for an hour before
> This is a common problem with stateful firewalls and why most applications that use long live connection have is an in band keep alive mechanism. E.g for ssh you can put the following in ~/.ssh/config:
>
> ServerAliveInterval 60
> ServerAliveCountMax 60
>
> Which will give you an hour without typing something on your keyboard for an ssh connection.
ssh gives up?
ServerAliveInterval is how often keepalive messages are sent through the
encrypted channel. The default is zero so no keepalive messages are sent.
But from the man page:
ServerAliveCountMax
Sets the number of server alive messages (see below) which may be
sent without ssh(1) receiving any messages back from the server.
If this threshold is reached while server alive messages are
being sent, ssh will disconnect from the server, terminating the
session. It is important to note that the use of server alive
and
The default value is 3. If, for example, ServerAliveInterval
(see below) is set to 15 and ServerAliveCountMax is left at the
default, if the server becomes unresponsive, ssh will disconnect
after approximately 45 seconds.
So, really, if the documentation is to be believed the only setting that
would be needed is ServerAliveInterval since it defaults to zero.
--
Kevin P. Neal http://www.pobox.com/~kpn/
"I like being on The Daily Show." - Kermit the Frog, Feb 13 2001
Jos Chrispijn
Jun 29, 2024, 4:16:13 AM (yesterday) Jun 29
to Kevin P. Neal, Ralf Weber, FreeBSD Mailing List
Thanks for this. Will check.
Best, Jos
Kevin P. Neal:Reply all
Reply to author
Forward
0 new messages