Date: Tue, 19 Nov 2002 10:37:53 -0600 From: "Shawn Barnhart" <swb@grasslake.net> To: <ipfw@freebsd.org> Subject: Stateful rules Message-ID: <001a01c28fea$0200c7c0$62229fc0@ad.campbellmithun.com>
next in thread | raw e-mail | index | archive | help
I've recently switched over to using the stateful capabilitites of ipfw (4.7-STABLE). I have rules like: check state allow tcp from my_host to any keep-state allow udp from my_host to any keep-state .... deny log ip from any to any In that order. What I've noticed is that during web browsing (and only web browsing), I see a small number of packets hitting the deny rule at the end, as if the dynamic rule had either expired or didn't apply. I didn't notice it impacting the actual web browsing I was doing (ie, no misdrawn pages or other glitches). I haven't seen any other types of packets blocked other than web traffic; ssh, dns, even udp-intensive games seem OK. Any potential explanations? I thought there might be some low sysctl variables, but net.inet.ip.fw.dyn_count appears to be well below net.inet.ip.fw.dyn_max. One other thing I'm curious about is net.inet.ip.fw.dyn_buckets -- what does this have to do with net.inet.ip.fw.dyn_max or dynamic rule processing? I can't quite gleam the relationship it has with net.inet.ip.fw.dyn_max, if there is one, or when/how/if it should be adjusted. -Shawn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001a01c28fea$0200c7c0$62229fc0>