From owner-freebsd-stable  Mon Jan 14 11:44:45 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
	by hub.freebsd.org (Postfix) with ESMTP id 287ED37B417
	for <stable@FreeBSD.ORG>; Mon, 14 Jan 2002 11:44:42 -0800 (PST)
Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130])
	by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA16261;
	Mon, 14 Jan 2002 12:43:41 -0700 (MST)
	(envelope-from nate@yogotech.com)
Received: (from nate@localhost)
	by caddis.yogotech.com (8.11.6/8.11.6) id g0EJheW29695;
	Mon, 14 Jan 2002 12:43:40 -0700 (MST)
	(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15427.13548.266651.846138@caddis.yogotech.com>
Date: Mon, 14 Jan 2002 12:43:40 -0700
To: Richard Nyberg <rnyberg@it.su.se>
Cc: Nate Williams <nate@yogotech.com>,
	Ian <freebsd@damnhippie.dyndns.org>,
	Rolandas Naujikas <rolnauj@delfi.lt>, stable@FreeBSD.ORG
Subject: Re: tcp keepalive and dynamic ipfw rules
In-Reply-To: <20020114102351.A31319@gromit.it.su.se>
References: <20020112123054.A20486@localhost>
	<B865C95B.911F%freebsd@damnhippie.dyndns.org>
	<15424.33362.685365.782853@caddis.yogotech.com>
	<20020114102351.A31319@gromit.it.su.se>
X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

> > # Allow me to make TCP connections
> > ipfw add pass tcp from me to any setup
> > ipfw add pass tcp from any to any established
> 
> IIRC it's better to use dynamic (keep-state and check-state) rules instead,
> because they check more state than the static.

Possibly, but leaving 'inactive' rules in the mix leaves you open for
DoS attacks just as easily.  Six of one, half-dozen of the other.

> My solution to keep my ssh sessions from hanging because I made a cup
> of coffe was to up the syctl MIB 'net.inet.ip.fw.dyn_ack_lifetime' to
> a more reasonable value.

So, non-active TCP sessions can now get packets through since the
lifetime of the rules now exceed the lifetime of many of your TCP
sessions, so I can now watch your firewall and punch packets through it
by analyzing the data.

(In short, anyone good enough to punch through packets using the other
firewall setup is also capable of punching through packets with extended
lifetime TCP dynamic rules.)



Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message