Date: Fri, 6 Dec 2002 20:56:19 -0500 From: Paul Mather <paul@gromit.dlib.vt.edu> To: current@freebsd.org Subject: IPFW2 keepalive? Message-ID: <20021207015619.GA23658@gromit.dlib.vt.edu>
next in thread | raw e-mail | index | archive | help
Please forgive me if this is an elementary question or mistake on my part. I'm most familiar with ipfilter, and am a relative newcomer to ipfw. That said, the problem I am having is that IPFW2 stateful rules do not seem to persist via keepalives, as the man page suggests they should. Does anyone else have this problem? (Is this a bug in the implementation, or in my application of it?) I can see a dynamic rule created, but it will vanish if idle for more than 300 seconds. For example, I can slogin to another machine and then that remote login idle. Meanwhile, in another terminal, I can use "ipfw -d show" to see the idle timer on the rule for that remote login count down to zero and eventually expire the rule. If I then type something into the remote SSH session, I get "Write failed: Permission denied." I've also noticed this kind of thing happen, for example, when reading mail via IMAP using mutt. If I spend too long reading a message (e.g., a long digest), I will get a message indicating the mailbox was lost, even though the remote imap session still has the mailbox open. I'm testing out ipfw rules on a 5.0-CURRENT system (FreeBSD 5.0-CURRENT #0: Wed Dec 4 23:37:45 EST 2002) installed on my home LAN. Its IP is 10.0.23.13, and it has a single NIC (xl0) acting as a packet filter. I load ipfw as a kernel module. Here is my rule set: 00100 allow ip from any to any via lo0 00200 check-state 00300 deny log ip from any to 127.0.0.0/8 00400 deny ip from 0.0.0.0/8 to any in via xl0 00500 deny ip from 169.254.0.0/16 to any in via xl0 00600 deny ip from 192.0.2.0/24 to any in via xl0 00700 deny ip from 224.0.0.0/4 to any in via xl0 00800 deny ip from 240.0.0.0/4 to any in via xl0 00900 deny ip from any to 0.0.0.0/8 in via xl0 01000 deny ip from any to 169.254.0.0/16 in via xl0 01100 deny ip from any to 192.0.2.0/24 in via xl0 01200 deny ip from any to 224.0.0.0/4 in via xl0 01300 deny ip from any to 240.0.0.0/4 in via xl0 01400 deny tcp from any to any established 01500 allow tcp from any to 10.0.23.13 dst-port 22,25,143,993,525,137,138,139 setup keep-state 01600 allow udp from any to { 10.0.23.13 or dst-ip 10.0.23.255 } dst-port 137,138,139,525 01700 allow tcp from any to 10.0.23.13 dst-port 64023-64053,20-21 setup keep-state 01800 allow icmp from any to any icmptypes 3,4,11,12,13,14 01900 allow tcp from 10.0.23.13 to any setup out via xl0 keep-state 02000 allow udp from 10.0.23.13 to any out via xl0 keep-state 65435 deny log ip from any to any 65535 deny ip from any to any Here are the current sysctl settings for ipfw: net.inet.ip.fw.enable: 1 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 0 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 120 net.inet.ip.fw.dyn_max: 4096 net.inet.ip.fw.static_count: 22 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_keepalive: 1 According to the man page, a net.inet.ip.fw.dyn_keepalive setting of 1 should mean it sends keepalives to keep dynamic rules alive. Do I need an explicit rule in my rule set to allow these keepalives, and, if so, what would it be? (I can't recall having this problem with ipfilter.) Cheers, Paul. e-mail: paul@gromit.dlib.vt.edu "Without music to decorate it, time is just a bunch of boring production deadlines or dates by which bills must be paid." --- Frank Vincent Zappa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021207015619.GA23658>