Date: Mon, 4 Sep 2000 14:27:46 -0500 (CDT) From: missnglnk <missnglnk@sneakerz.org> To: freebsd-ipfw@freebsd.org Subject: Issues with ipfw(8)'s dynamic rules Message-ID: <Pine.BSF.4.21.0009041335360.34920-100000@sneakerz.org>
next in thread | raw e-mail | index | archive | help
I found some undesirable side effects with ipfw's dynamic
rules as I was toying with it today.
a) Expired Dynamic Rules Aren't Really Expired
I noticed that once a dynamic rule expires (hitting its respective
timeout value), it's not removed from the dynamic table (unless
the dynamic table is full), so the connection is still allowed to
continue instead of being dropped, the only indications that an
expired connection is still in use is the "invalid state" messages
that are sent to the console, and the combined analyzation of
ipfw(8) and netstat(1) output.
My Solution: Remove expired UDP and ICMP dynamic rules from the
table, and for expired TCP connections send an RST
to both sides of the connection, and then remove
expired TCP dynamic rules from the table.
b) Premature Rule Expiration
TCP connections will expire prematurely if the connection has been
idle longer than the dynamic state ACK lifetime, but shorter than
the TCP keepalive interval. This would result in "Connection reset
by peer" messages, but since the first issue is still present, it
only results in "invalid state" messages being sent to the console
My Solution: By default, set the dynamic state ACK lifetime to the
TCP keepalive interval, warn user if he/she sets the
dynamic state ACK lifetime to a value less than the
TCP keepalive interval.
P.S. My solutions are only suggested solutions.
--
missnglnk@sneakerz.org
http://www.sneakerz.org/~missnglnk/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009041335360.34920-100000>