Date: Mon, 4 Sep 2000 14:27:46 -0500 (CDT) From: missnglnk <missnglnk@sneakerz.org> To: freebsd-ipfw@freebsd.org Subject: Issues with ipfw(8)'s dynamic rules Message-ID: <Pine.BSF.4.21.0009041335360.34920-100000@sneakerz.org>
next in thread | raw e-mail | index | archive | help
I found some undesirable side effects with ipfw's dynamic rules as I was toying with it today. a) Expired Dynamic Rules Aren't Really Expired I noticed that once a dynamic rule expires (hitting its respective timeout value), it's not removed from the dynamic table (unless the dynamic table is full), so the connection is still allowed to continue instead of being dropped, the only indications that an expired connection is still in use is the "invalid state" messages that are sent to the console, and the combined analyzation of ipfw(8) and netstat(1) output. My Solution: Remove expired UDP and ICMP dynamic rules from the table, and for expired TCP connections send an RST to both sides of the connection, and then remove expired TCP dynamic rules from the table. b) Premature Rule Expiration TCP connections will expire prematurely if the connection has been idle longer than the dynamic state ACK lifetime, but shorter than the TCP keepalive interval. This would result in "Connection reset by peer" messages, but since the first issue is still present, it only results in "invalid state" messages being sent to the console My Solution: By default, set the dynamic state ACK lifetime to the TCP keepalive interval, warn user if he/she sets the dynamic state ACK lifetime to a value less than the TCP keepalive interval. P.S. My solutions are only suggested solutions. -- missnglnk@sneakerz.org http://www.sneakerz.org/~missnglnk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009041335360.34920-100000>