From owner-freebsd-stable Sat Dec 8 5: 6:31 2001 Delivered-To: freebsd-stable@freebsd.org Received: from ns.belenus.com (ns.belenus.com [195.27.12.132]) by hub.freebsd.org (Postfix) with ESMTP id 7EF2437B41B for ; Sat, 8 Dec 2001 05:06:25 -0800 (PST) Received: (from root@localhost) by ns.belenus.com (8.11.4/8.11.4) id fB8D6Ns67512 for freebsd-stable@freebsd.org.KAV; Sat, 8 Dec 2001 14:06:23 +0100 (CET) (envelope-from H@Schmalzbauer.de) Received: from server02.belenus.com (server02.belenus.com [195.27.12.126]) by ns.belenus.com (8.11.4/8.11.4) with ESMTP id fB8D6Nl67504 for ; Sat, 8 Dec 2001 14:06:23 +0100 (CET) (envelope-from H@Schmalzbauer.de) Received: from adm01.belenus.com ([195.27.12.70]) by server02.belenus.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id YKNQT48D; Sat, 8 Dec 2001 14:06:12 +0100 Subject: ipfw, keep-state and ssh From: Harald Schmalzbauer To: freebsd-stable@freebsd.org Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/0.99.2 (Preview Release) Date: 08 Dec 2001 12:06:22 -0100 Message-Id: <1007816782.618.0.camel@adm01.belenus.com> Mime-Version: 1.0 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, today I set up a packet filter with ipfw. The last time I have used it was long before 4.0 so keep-state is new to me (for IPFW, I know it in IPFilter). I reworte my complete ruleset, but it should be identical to the IPfilter set before. Unfortunately my ssh connection gets dropped regularly. Sometimes even while typing!! I have enabled fragmneted packets, so until now the disconnect while typing has gone but with the default dyna_ack lifetime of 300 the connection closes reliably. How can I tell sshd to send Keepalive in shorter intervals? I only saw that the non-default ClientAlive can be adjusted. Is it reasonable to use that instead? Or should I set another rule for tcp-ack pass? But then keep-state is useless for TCP. Perhaps somebody can have a look over my rules if I did big mistakes. Is the "check-state" really needed (rule#500)? Thanks, -Harry add 500 check-state add 750 pass icmp from any to 195.27.12.131/32 icmptypes 0,3,4,8,11,16 in recv xl1 add 755 pass udp from 195.27.12.128/26 to 195.27.12.131/32 53 keep-state add 756 pass udp from 195.27.12.128/26 to 195.27.12.131/32 123 keep-state add 757 pass udp from 195.27.12.128/26 to 195.27.12.124/32 123 keep-state add 800 pass udp from 195.27.12.0/25 to 195.27.12.124/32 53 in recv xl0 keep-state add 801 pass udp from 195.27.12.0/25 to 195.27.12.124/32 123 in recv xl0 keep-state add 802 pass udp from 195.27.12.0/25 to 195.27.12.131/32 123 in recv xl0 keep-state add 803 pass tcp from 195.27.12.0/25 to 195.27.12.124/32 8880 in recv xl0 setup keep-state add 804 pass udp from 195.27.12.0/25 to 195.27.12.124/32 8880 in recv xl0 keep-state add 805 pass tcp from 195.27.12.70/32 to 195.27.12.124/32 22 in recv xl0 setup keep-state add 806 pass tcp from 195.27.12.105/32 to 195.27.12.124/32 1281 in recv xl0 setup keep-state add 810 pass tcp from 195.27.12.192/26 to 195.27.12.124/32 22 in recv xl0 setup keep-state add 811 pass udp from 195.27.12.192/26 to 195.27.12.124/32 53 in recv xl0 keep-state add 812 pass udp from 195.27.12.192/26 to 195.27.12.124/32 123 in recv xl0 keep-state add 813 pass udp from 195.27.12.192/26 to 195.27.12.131/32 123 in recv xl0 keep-state add 814 pass tcp from 195.27.12.192/26 to 195.27.12.124/32 8880 in recv xl0 setup keep-state add 815 pass udp from 195.27.12.192/26 to 195.27.12.124/32 8880 in recv xl0 keep-state add 850 pass all from 195.27.12.131/32 to any out xmit xl1 keep-state add 900 pass icmp from 195.27.12.124 to any keep-state add 1000 pass tcp from 195.27.12.132/32 to 195.27.12.126/32 25 in recv xl1 setup keep-state add 1100 pass udp from 195.27.12.133/32 to 195.27.12.125/32 111 in recv xl1 keep-state add 1200 pass udp from 195.27.12.133/32 to 195.27.12.125/32 600-1023 in recv xl1 keep-state add 1300 pass tcp from 195.27.12.133/32 to 195.27.12.122/32 3306 in recv xl1 setup keep-state add 1400 pass tcp from 195.27.12.133/32 to 195.27.12.106/32 139 keep-state in recv xl1 setup add 1500 pass tcp from 195.27.12.133/32 to 195.27.12.126/32 139 keep-state in recv xl1 setup add 5000 pass all from 195.27.12.0/25 to 195.27.12.128/26 in recv xl0 keep-state add 5100 pass all from 195.27.12.192/26 to 195.27.12.128/26 in recv xl0 keep-state add 6000 pass icmp from 195.27.12.0/25 to any icmptypes 8 add 6001 pass icmp from any to 195.27.12.0/25 icmptypes 0,3,4,11,16 add 6010 pass icmp from 195.27.12.192/26 to any icmptypes 8 add 6011 pass icmp from any to 195.27.12.192/26 icmptypes 0,3,4,11,16 add 10000 deny all from any to 195.27.12.127 add 10001 deny all from any to 195.27.12.191 add 10002 deny all from any to 195.27.12.255 add 10003 deny all from any to 255.255.255.255 add 10004 deny all from any to 224.0.0.1 add 20000 allow all from 195.27.12.128/26 to 195.27.12.0/25 frag add 20000 allow all from 195.27.12.0/25 to 195.27.12.128/26 frag add 65532 unreach 3 all from any to 195.27.12.131/32 add 65533 unreach 3 all from any to 195.27.12.124/32 add 65534 unreach 3 log logamount 5000 all from any to any ~ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message