Q: Is it possible to set up masquerading timeouts that TCP 
connection never expires even if there are no any packets traveling?
	A: Sure.
	# ipchains -M -S 13564800 0 0
	That'll last you up until January 1, 2000, and after the rioting
will start and you won't have to worry about masquerading any more. 8-)
	-- Paul Rusty Russell <Paul.Russell@rustcorp.com.au>