Date: Fri, 6 Dec 2002 20:56:19 -0500 From: Paul Mather <paul@gromit.dlib.vt.edu> To: current@freebsd.org Subject: IPFW2 keepalive? Message-ID: <20021207015619.GA23658@gromit.dlib.vt.edu>
next in thread | raw e-mail | index | archive | help
Please forgive me if this is an elementary question or mistake on my
part. I'm most familiar with ipfilter, and am a relative newcomer
to ipfw.
That said, the problem I am having is that IPFW2 stateful rules do not
seem to persist via keepalives, as the man page suggests they should.
Does anyone else have this problem? (Is this a bug in the
implementation, or in my application of it?)
I can see a dynamic rule created, but it will vanish if idle for more
than 300 seconds. For example, I can slogin to another machine and
then that remote login idle. Meanwhile, in another terminal, I can
use "ipfw -d show" to see the idle timer on the rule for that remote
login count down to zero and eventually expire the rule. If I then
type something into the remote SSH session, I get "Write failed:
Permission denied." I've also noticed this kind of thing happen, for
example, when reading mail via IMAP using mutt. If I spend too long
reading a message (e.g., a long digest), I will get a message
indicating the mailbox was lost, even though the remote imap session
still has the mailbox open.
I'm testing out ipfw rules on a 5.0-CURRENT system (FreeBSD
5.0-CURRENT #0: Wed Dec 4 23:37:45 EST 2002) installed on my home LAN.
Its IP is 10.0.23.13, and it has a single NIC (xl0) acting as a packet
filter. I load ipfw as a kernel module. Here is my rule set:
00100 allow ip from any to any via lo0
00200 check-state
00300 deny log ip from any to 127.0.0.0/8
00400 deny ip from 0.0.0.0/8 to any in via xl0
00500 deny ip from 169.254.0.0/16 to any in via xl0
00600 deny ip from 192.0.2.0/24 to any in via xl0
00700 deny ip from 224.0.0.0/4 to any in via xl0
00800 deny ip from 240.0.0.0/4 to any in via xl0
00900 deny ip from any to 0.0.0.0/8 in via xl0
01000 deny ip from any to 169.254.0.0/16 in via xl0
01100 deny ip from any to 192.0.2.0/24 in via xl0
01200 deny ip from any to 224.0.0.0/4 in via xl0
01300 deny ip from any to 240.0.0.0/4 in via xl0
01400 deny tcp from any to any established
01500 allow tcp from any to 10.0.23.13 dst-port 22,25,143,993,525,137,138,139 setup keep-state
01600 allow udp from any to { 10.0.23.13 or dst-ip 10.0.23.255 } dst-port 137,138,139,525
01700 allow tcp from any to 10.0.23.13 dst-port 64023-64053,20-21 setup keep-state
01800 allow icmp from any to any icmptypes 3,4,11,12,13,14
01900 allow tcp from 10.0.23.13 to any setup out via xl0 keep-state
02000 allow udp from 10.0.23.13 to any out via xl0 keep-state
65435 deny log ip from any to any
65535 deny ip from any to any
Here are the current sysctl settings for ipfw:
net.inet.ip.fw.enable: 1
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.debug: 1
net.inet.ip.fw.verbose: 0
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 120
net.inet.ip.fw.dyn_max: 4096
net.inet.ip.fw.static_count: 22
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_keepalive: 1
According to the man page, a net.inet.ip.fw.dyn_keepalive setting of 1
should mean it sends keepalives to keep dynamic rules alive.
Do I need an explicit rule in my rule set to allow these keepalives,
and, if so, what would it be? (I can't recall having this problem
with ipfilter.)
Cheers,
Paul.
e-mail: paul@gromit.dlib.vt.edu
"Without music to decorate it, time is just a bunch of boring production
deadlines or dates by which bills must be paid."
--- Frank Vincent Zappa
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021207015619.GA23658>