From owner-freebsd-ipfw Sun Dec 22 2:55:25 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B93437B401; Sun, 22 Dec 2002 02:55:25 -0800 (PST) Received: from sima.sita.kiev.ua (sima.sita.kiev.ua [193.193.223.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4C9E43EE5; Sun, 22 Dec 2002 02:55:21 -0800 (PST) (envelope-from ay@sita.kiev.ua) Received: (from ay@localhost) by sima.sita.kiev.ua (8.Who.Cares/8.Who.Cares) id gBMAtIP84215; Sun, 22 Dec 2002 12:55:18 +0200 (EET) (envelope-from ay) Date: Sun, 22 Dec 2002 12:55:18 +0200 From: Alexander Yeremenko To: freebsd-ipfw@freebsd.org Cc: freebsd-questions@freebsd.org, uanog@uanog.kiev.ua Subject: ipfw count Q Message-ID: <20021222125518.A84159@sita.kiev.ua> Reply-To: ay@sita.kiev.ua Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have a box, running as router. Network A.B.C/Z is connected via ppp0 router:/rc.firewall : ipfw add 10 connt all from any to any via ppp0 ipfw add 15 connt all from any to A.B.C/Z ipfw add 15 connt all from A.B.C/Z to any Rules 10 and 15 gives absolutely different results. What's wrong ? -- AY7-UANIC || AY15-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 25 21: 6:21 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F6F637B401 for ; Wed, 25 Dec 2002 21:06:19 -0800 (PST) Received: from alchemistry.net (66-234-45-101.nyc.cable.nyct.net [66.234.45.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE36D43ED1 for ; Wed, 25 Dec 2002 21:06:18 -0800 (PST) (envelope-from mail@krel.org) Received: from amavis by alchemistry.net with scanned-ok (Exim 3.36 #1) id 18RQDi-000N3G-00 for freebsd-ipfw@freebsd.org; Thu, 26 Dec 2002 00:06:10 -0500 Received: from ilya by alchemistry.net with local (Exim 3.36 #1) id 18RQDh-000N37-00 for freebsd-ipfw@freebsd.org; Thu, 26 Dec 2002 00:06:09 -0500 Date: Thu, 26 Dec 2002 00:06:09 -0500 From: Ilya To: ipfw Subject: keepalive incoming does not keep connection alive Message-ID: <20021226050609.GA88329@krel.org> Reply-To: mail@krel.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.1i X-Virus-Scanned: by AMaViS snapshot-20020531 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi. I am running 4.7 Stable with ipfw2 outgoing traffic from lan is nat'ed and works flawlessly. However incoming traffic (especially ssh is the one which gives me problems) the incoming dynamic rule times out after 300 sec and even though I have keepalive set to 1 the rule does not refresh. I can increase the net.inet.ip.fw.dyn_syn_lifetime to 3000 and have it timeout in 10min. But its not really a solution. I saw a patch by Aaron, but he mentions that his patch is now pretty much obsolete because of keepalive. Ive seen multiple reports on google about same behaviour, but never a solution to it. below are relative rules and sysctl: net.inet.ip.fw.enable: 1 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 200 net.inet.ip.fw.dyn_buckets: 4096 net.inet.ip.fw.curr_dyn_buckets: 4096 net.inet.ip.fw.dyn_count: 11 net.inet.ip.fw.dyn_max: 4096 net.inet.ip.fw.static_count: 21 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 3000 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_udp_lifetime: 300 net.inet.ip.fw.dyn_short_lifetime: 300 net.inet.ip.fw.dyn_keepalive: 1 /etc/sysctl.conf: vfs.vmiodirenable=1 kern.ipc.maxsockbuf=2097152 kern.ipc.somaxconn=8192 kern.maxfiles=65536 kern.maxfilesperproc=32768 net.inet.tcp.rfc1323=1 net.inet.tcp.delayed_ack=0 net.inet.tcp.sendspace=65535 net.inet.tcp.recvspace=65535 net.inet.udp.recvspace=65535 net.inet.udp.maxdgram=57344 net.local.stream.recvspace=65535 net.local.stream.sendspace=65535 net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 kern.ipc.maxsockets=16424 net.inet.ip.fw.dyn_buckets=2048 net.inet.ip.fw.dyn_max=4096 net.inet.ip.fw.dyn_syn_lifetime=3000 net.inet.ip.fw.dyn_udp_lifetime=300 net.inet.ip.fw.dyn_ack_lifetime=300 net.inet.ip.fw.dyn_short_lifetime=300 ipfw add allow tcp from any to $ip 22 setup keep-state via $inter the rule is created successfully and everything runs excellent untill the connection is left unattended. if you have any sugestion on debugging the keepalive, or making it work please let me know thank you To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Dec 28 18:30: 2 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD9B437B401 for ; Sat, 28 Dec 2002 18:30:00 -0800 (PST) Received: from sima.sita.kiev.ua (sima.sita.kiev.ua [193.193.223.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3545843EA9 for ; Sat, 28 Dec 2002 18:29:57 -0800 (PST) (envelope-from freebsd@akruijff.dds.nl) Received: from smtp03.wxs.nl (smtp03.wxs.nl [195.121.6.37]) by sima.sita.kiev.ua (8.Who.Cares/8.Who.Cares) with ESMTP id gBT2TnS95294; Sun, 29 Dec 2002 04:29:50 +0200 (EET) (envelope-from freebsd@akruijff.dds.nl) Received: from cybertron.kruijff ([213.10.151.186]) by smtp03.wxs.nl (Netscape Messaging Server 4.15) with ESMTP id H7V09H00.B1B; Sun, 29 Dec 2002 03:29:41 +0100 Date: Sun, 29 Dec 2002 03:28:58 +0100 From: Alex X-Mailer: The Bat! (v1.62 Christmas Edition) Personal Reply-To: Alex X-Priority: 3 (Normal) Message-ID: <17452083522.20021229032858@dds.nl> To: Alexander Yeremenko Cc: fbsd-ipfw@sita.kiev.ua Subject: Re: ftpd through firewall In-Reply-To: <20021214131949.A54596@sita.kiev.ua> References: <200212141115.gBEBFh754575@sima.sita.kiev.ua> <20021214131949.A54596@sita.kiev.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Dear/Beste Alexander, Saturday, December 14, 2002, 12:20:26 PM, you wrote: > I have a box, running lukemftpd with rc.firewall, containing: > ${ipfw} add pass all from me to any > ${ipfw} add pass tcp from any to me ftp > ${ipfw} add pass udp from any to me > When trying to execute ls or get from remote server session hungs > in a state SYN_SENT, even if ftp -p executes. 192.168.31.48.4909 > unix1.ftp unix1.ftp > 192.168.31.48.4909 192.168.31.48.4909 > unix1.ftp unix1.ftp-data > 192.168.31.48.4912 192.168.31.48.4912 > unix1.ftp-data unix1.ftp-data > 192.168.31.48.4912 unix1.ftp > 192.168.31.48.4909 unix1.ftp > 192.168.31.48.4909 unix1.ftp-data > 192.168.31.48.4912 192.168.31.48.4909 > unix1.ftp 192.168.31.48.4912 > unix1.ftp-data 192.168.31.48.4912 > unix1.ftp-data unix1.ftp-data > 192.168.31.48.4912 Using tcpdump i got these packages for a ls with ftp. So you need to pass two ports for normal ftp usages. > ${ipfw} add pass all from me to any > ${ipfw} add pass tcp from any to me ftp > ${ipfw} add pass udp from any to me Why do you allowing udp to pass unconditional? -- Best regards/Met vriendelijke groet, Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message