Date: Mon, 14 Jan 2002 12:43:40 -0700 From: Nate Williams <nate@yogotech.com> To: Richard Nyberg <rnyberg@it.su.se> Cc: Nate Williams <nate@yogotech.com>, Ian <freebsd@damnhippie.dyndns.org>, Rolandas Naujikas <rolnauj@delfi.lt>, stable@FreeBSD.ORG Subject: Re: tcp keepalive and dynamic ipfw rules Message-ID: <15427.13548.266651.846138@caddis.yogotech.com> In-Reply-To: <20020114102351.A31319@gromit.it.su.se> References: <20020112123054.A20486@localhost> <B865C95B.911F%freebsd@damnhippie.dyndns.org> <15424.33362.685365.782853@caddis.yogotech.com> <20020114102351.A31319@gromit.it.su.se>
next in thread | previous in thread | raw e-mail | index | archive | help
> > # Allow me to make TCP connections > > ipfw add pass tcp from me to any setup > > ipfw add pass tcp from any to any established > > IIRC it's better to use dynamic (keep-state and check-state) rules instead, > because they check more state than the static. Possibly, but leaving 'inactive' rules in the mix leaves you open for DoS attacks just as easily. Six of one, half-dozen of the other. > My solution to keep my ssh sessions from hanging because I made a cup > of coffe was to up the syctl MIB 'net.inet.ip.fw.dyn_ack_lifetime' to > a more reasonable value. So, non-active TCP sessions can now get packets through since the lifetime of the rules now exceed the lifetime of many of your TCP sessions, so I can now watch your firewall and punch packets through it by analyzing the data. (In short, anyone good enough to punch through packets using the other firewall setup is also capable of punching through packets with extended lifetime TCP dynamic rules.) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15427.13548.266651.846138>