Bug 28718

 >   When using stateful ipfw rules, the dynamic rule expiration times
 >   are governed by the values of the net.inet.ip.fw.dyn_*_lifetime
 >   variables.  This is an excellent attribute of the ipfw stateful
 
 It is actually just half of what is needed. In addition to the
 'lifetime', and to avoid early expiration for idle sessions, you'd
 need someone (maybe the firewall) to send around keepalives to
 probe the session.
 
 Your patch slightly improves the situation, but does not radically
 change it or solve the problem. You still need the firewall
 administrator to do a special configuration for your session, pick
 a timeout value (and what do you pick ? anything less than 24hrs
 is maybe not that significant for a session that you might forget
 idle and you want to find active the day after), and you need
 additional firewall rules to override the default for the specific
 sessions.
 
 This is why i do not consider this patch that urgent and i am not so
 inclinded to commit it.
 
 In cases like this, i'd rather suggest a better approach which is
 to raise the default to something larger (like 1-2hr) and set the
 keepalive interval on your client to a value that is shorter than
 the expire interval.
 
 The reason why a large timeout is not so problematic is that as soon
 as the firewall sees a FIN or a RST on one side, it reverts to
 using a much shorter timeout so in most cases, a regular or abortive
 shutdown of the connection will result in a quick expire of the rule.
 
 	cheers
 	luigi