Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 1 May 2003 12:13:40 -0700
From:      "C_Ahlers" <freebsd@code-space.com>
To:        "'Antoine Jacoutot'" <ajacoutot@lphp.org>
Cc:        freebsd-ipfw@freebsd.org
Subject:   RE: ipfw dynamic rule timeout --> find a solution, but needconfirmation
Message-ID:  <000001c31015$c6c73ed0$0501a8c0@neptune>
In-Reply-To: <1051722234.3eb001fabde38@webmail.lphp.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Here are my settings for one of my firewalls that is nearly identical to
your situation:

1) FreeBSD 4.7-RELEASE + IPFW2 + Dynamic rules + natd
2) net.inet.ip.fw.dyn_syn_lifetime=20
3) net.inet.ip.fw.dyn_ack_lifetime=300
4) net.inet.ip.fw.dyn_keepalive=1  

These settings are working just fine for me. 

I am curious as to how you are determining that the dynamic rule are
timing-out prematurely. 

Remember, just because keep-alive type packets are going back and forth
does not prevent a server application (that you are connected to) from
using some other mechanism to decide if the client is inactive, causing
the server to disconnect.

For example: 
1) From my PC behind the firewall, I ftp'd ftp.freebsd.org connectd,
logged in, and did "ls -l" then I just sat there.
2) then at my firewall console I repeatedly typed: ipfw -Sad list | grep
"192.168.1.2"  (192.168.1.2 is the IP of the PC)
3) This allowed me to observe the dynamic rules along with the timeout
value for the rule.

And what I found was that after 300 seconds, the timeout value started
counting down again with a fresh 300 seconds. Yet, after 90 seconds of
being connected without typing any commands to the ftp server, it
disconnected. Why? because no keep-alives were being sent? Or the
dynamic rules timed-out and were torn down? No, the server got tired of
waiting for commands.

C_Ahlers
freebsd@code-space.com

-----Original Message-----
From: Antoine Jacoutot [mailto:ajacoutot@lphp.org] 
Sent: Wednesday, April 30, 2003 10:04 AM
To: freebsd@code-space.com
Cc: freebsd-ipfw@freebsd.org
Subject: RE: ipfw dynamic rule timeout --> find a solution, but
needconfirmation


Selon C_Ahlers <freebsd@code-space.com>: 
> I realize that the following info is not exactly what you have been
> looking for - but it is in the spirit of building that perfect 
> firewall... 
 
:-)) 
 
> I would just like to point out that rules 200 and 300 that deal with
> traffic to and from 127.0.0.0/8 are NOT necessary. 
> The reason for this is simple: FreeBSD doesn't allow that traffic, 
> regardless of the presence of a firewall or not. 
> If you take a look at some source code, specifically: 
> \src\sys\netinet\ip_input.c  (~ line 357) 
> \src\sys\netinet\ip_output.c (~ line 807) 
> you will see code like the following: 
[...] 
> The packets are simply dropped...
> So this means you have 2 less rules to worry about that just clutter 
> your ruleset. 
 
Great advice, thanks. 
So you think setting: 
net.inet.ip.fw.dyn_syn_lifetime=300 
net.inet.ip.fw.dyn_ack_lifetime=300 
 
is OK, right ? 
 
Thanks a lot for all the help ! 
 
--  
Antoine Jacoutot  
ajacoutot@lphp.org  
http://www.lphp.org  
"Unix is user friendly... It's just selective about who his friends
are..."  



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?000001c31015$c6c73ed0$0501a8c0>