Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 1 May 2003 12:13:40 -0700
From:      "C_Ahlers" <>
To:        "'Antoine Jacoutot'" <>
Subject:   RE: ipfw dynamic rule timeout --> find a solution, but needconfirmation
Message-ID:  <000001c31015$c6c73ed0$0501a8c0@neptune>
In-Reply-To: <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Here are my settings for one of my firewalls that is nearly identical to
your situation:

1) FreeBSD 4.7-RELEASE + IPFW2 + Dynamic rules + natd
2) net.inet.ip.fw.dyn_syn_lifetime=20
3) net.inet.ip.fw.dyn_ack_lifetime=300
4) net.inet.ip.fw.dyn_keepalive=1  

These settings are working just fine for me. 

I am curious as to how you are determining that the dynamic rule are
timing-out prematurely. 

Remember, just because keep-alive type packets are going back and forth
does not prevent a server application (that you are connected to) from
using some other mechanism to decide if the client is inactive, causing
the server to disconnect.

For example: 
1) From my PC behind the firewall, I ftp'd connectd,
logged in, and did "ls -l" then I just sat there.
2) then at my firewall console I repeatedly typed: ipfw -Sad list | grep
""  ( is the IP of the PC)
3) This allowed me to observe the dynamic rules along with the timeout
value for the rule.

And what I found was that after 300 seconds, the timeout value started
counting down again with a fresh 300 seconds. Yet, after 90 seconds of
being connected without typing any commands to the ftp server, it
disconnected. Why? because no keep-alives were being sent? Or the
dynamic rules timed-out and were torn down? No, the server got tired of
waiting for commands.


-----Original Message-----
From: Antoine Jacoutot [] 
Sent: Wednesday, April 30, 2003 10:04 AM
Subject: RE: ipfw dynamic rule timeout --> find a solution, but

Selon C_Ahlers <>: 
> I realize that the following info is not exactly what you have been
> looking for - but it is in the spirit of building that perfect 
> firewall... 
> I would just like to point out that rules 200 and 300 that deal with
> traffic to and from are NOT necessary. 
> The reason for this is simple: FreeBSD doesn't allow that traffic, 
> regardless of the presence of a firewall or not. 
> If you take a look at some source code, specifically: 
> \src\sys\netinet\ip_input.c  (~ line 357) 
> \src\sys\netinet\ip_output.c (~ line 807) 
> you will see code like the following: 
> The packets are simply dropped...
> So this means you have 2 less rules to worry about that just clutter 
> your ruleset. 
Great advice, thanks. 
So you think setting: 
is OK, right ? 
Thanks a lot for all the help ! 
Antoine Jacoutot  
"Unix is user friendly... It's just selective about who his friends

Want to link to this message? Use this URL: <$c6c73ed0$0501a8c0>