Using Cockpit Across A Firewall

asked 2017-08-08 09:14:12 +0000

bitspiel gravatar image

updated 2017-08-08 09:23:44 +0000

I am using pfSense as a firewall. My scenario has a browser (on the /system page) on a machine that's on one interface "reaching" into another interface where a Fedora box is running cockpit. (The reach here means that the firewall's NAT is in play.)

Problem that I've run into is that the firewall is hard wired to close idle connections (once a time limit has been reached... 900 seconds, which is the longest I can configure, in my case) after which the browser running cockpit gets disconnected. Up to the point of where the firewall closes what it perceives are inactive connections, I receive the target system's telemetry. After the connections are severed, the telemetry flat-lines for a few seconds and then I get the "Server has closed the connection" page.

If I run everything on the same subnet, i.e. no NAT or the crossing of firewall boundaries, there's no problem letting the cockpit just keep tabs on the system's status indefinitely. I chalk this up to there's no "mother hen" policing so called idle connections when playing on the same subnet.

So the question I have is, do I petition to have cockpit do a better job of minding it's inactive connections... maybe be more robust in its recovering from closing "idle" connections, or do I petition the firewall community (pfSense) to allow an even longer idle time before force closing connections?


edit retag flag offensive close merge delete