Date: Sun, 24 Jan 2021 22:07:48 -0800 From: Kevin Oberman <rkoberman@gmail.com> To: Jos Chrispijn <bsduser@cloudzeeland.nl> Cc: Michael Sierchio <kudzu@tenebras.com>, FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: IPFW | Too many dynamic rules? Message-ID: <CAN6yY1to0k-OPrFstADFJSeUm-1BrZrE0PsvWfYxV_RMRgZXTw@mail.gmail.com> In-Reply-To: <3cfe3c72-453b-e54e-3c56-9abf80f45be3@cloudzeeland.nl> References: <e73687db-0f6e-9d45-c9c9-57bbfd1ae8e9@cloudzeeland.nl> <CAHu1Y73Qcz7G2gX1_2zM0nJp_c5qA604Z=U9xxNZL_g_cJNhxA@mail.gmail.com> <b567dd97-4e1a-7870-d0f5-c477fc488403@cloudzeeland.nl> <CAHu1Y73ynYG18KcsYcbjazC45g8rchPJppQ8Apja0Fwhsr5fyQ@mail.gmail.com> <3cfe3c72-453b-e54e-3c56-9abf80f45be3@cloudzeeland.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 24, 2021 at 3:08 AM Jos Chrispijn <bsduser@cloudzeeland.nl> wrote: > Thanks for your help, Michael. > > Knowing so little about ipfw, I think it will be time to raise my > learning curve on it. Can you hint me where I can get more information > on nub level? Especially the remark Michael made > > "The lifetime of dynamic rules is, by default, way too long." > > intriques me. What is the exact result shortening them? Do I undermine > ipfw protection by giving it too less or too much time to check incoming > requests? > > Best, Jos > > Op 22-1-21 om 1:58 schreef Michael Sierchio: > > > > Vell succes! > > > Dank je! > ___ > No, you don't undermine security. You enhance it a tiny bit, but significantly. A stateful firewall works by creating a temporary rule allowing traffic that would be rejected. Simple example is a DNS query. It is sent out and, in typical ipfw setups, outgoing UDP packets create a dynamic entry to allow for the reply. To make dynamic rules work efficiently, space is reserved for the maximum number of concurrent dynamic rules that are to be allowed. Unless there is further traffic for a given rule, a dynamic rule is deleted after a preset lifetime. You can look at all ipfw dynamic parameters with 'sysctl net.inet.ip.fw | grep dyn_'. You can get the description of a sysctl with the "sysctl -d OID". The default lifetimes are long for the "modern" Internet. The most significant one is probably dyn_udp_lifetime. It would be unusual for it to take anywhere near the default 30 seconds to get a response, but setting it too short will result in failures. Shortening it will clear out old entries more quickly and reduce the chance of running out of space for dynamic rules. A number of years ago, one of the developers wrote a code that sent out UDP packets to a large number of remote systems. A very short time later it did the same thing, but from new sockets. That meant a whole new set of dynamic rules was created every second and sat there for 30 seconds. This quickly filled the available space and replies to further queries were blocked. Not just for his program, but for the whole system. Oops! -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1to0k-OPrFstADFJSeUm-1BrZrE0PsvWfYxV_RMRgZXTw>