Date: Thu, 16 Oct 2008 15:52:10 +0200 From: Patrick Matters <patrick.matters@gmx.de> To: to.dev.null@gmx.de Cc: freebsd-ipfw@freebsd.org Subject: Re: Expiration of dynamic rules Message-ID: <7809E47C-7C44-43E3-A588-0C99D642FC6B@gmx.de> In-Reply-To: <20081015214327.230570@gmx.net> References: <20081015214327.230570@gmx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, a real life example: ruleset host1 ... 00100 0 0 check-state 00101 0 0 allow tcp from me to any out setup keep-state ... sysctl net.inet.ip.fw.dyn_keepalive: 1 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_rst_lifetime: 3 net.inet.ip.fw.dyn_fin_lifetime: 3 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.static_count: 24 net.inet.ip.fw.dyn_max: 4096 net.inet.ip.fw.dyn_count: 237 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.verbose: 2 net.inet.ip.fw.debug: 0 net.inet.ip.fw.one_pass: 0 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.enable: 1 tcpdump 11:57:12.452517 IP host1.port1 > host2.80: S 4285172461:4285172461(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,timestamp 225504674 0,sackOK,eol> 11:57:12.465820 IP host2.80 > host1.port1: S 4165668431:4165668431(0) ack 4285172462 win 5672 <mss 1430,sackOK,timestamp 946103042 225504674,nop,wscale 6> 11:57:12.465951 IP host1.port1 > host2.80: . ack 1 win 65535 <nop,nop,timestamp 225504674 946103042> ... some tcp ack and tcp ack,psh 11:57:12.703599 IP host2.80 > host1.port1: P 6629:7198(569) ack 721 win 112 <nop,nop,timestamp 946103278 225504675> 11:57:12.703678 IP host1.port1 > host2.80: . ack 7198 win 65156 <nop,nop,timestamp 225504676 946103278> 11:57:22.700872 IP host2.80 > host1.port1: F 7198:7198(0) ack 721 win 112 <nop,nop,timestamp 946113277 225504676> 11:57:22.700997 IP host1.port1 > host2.80: . ack 7199 win 65535 <nop,nop,timestamp 225504776 946113277> 12:02:07.529664 IP host1.port1 > host2.80: . ack 7199 win 0 12:02:07.529786 IP host1.port1 > host2.80: . ack 7199 win 65535 <nop,nop,timestamp 225507620 946113277> 12:02:07.543323 IP host2.80 > host1.port1: R 4165675630:4165675630(0) win 0 12:02:07.545776 IP host2.80 > host1.port1: R 4165675630:4165675630(0) win 0 netstat tcp4 0 0 host1.port1 host2.80 CLOSE_WAIT CLOSE_WAIT means an established connection on host 1 receives a tcp fin from host 2 and host 1 sends tcp ack to host2. Now host2 waits for a tcp fin from host1 After tcp rst netstat shows no tcp socket with port1 anymore 'nmap -PN -n -S host2 -p port1 -e eth0 --source-port 80 --scanflags ack host1' (it could be any tcp flag or combination of that) The dynmaic rule reopens with timeout 3s and disappears after the timeout. I guess only a tcp fin from host1 would stop the reappearing of the dynamic rule. jerry Am 15.10.2008 um 23:43 schrieb to.dev.null@gmx.de: > Hello together, > > i have a strange phenomenon with dynamic rules. I am using Mac OS X > 10..5.5 and have disabled keepalive-messages for dynamic rules: > > net.inet.ip.fw.dyn_keepalive: 0 > > ruleset host1 > ... > check-state > allow tcp from me to any out setup keep-state > ... > > 1.) host2: nc -k -l -p 1234 > 2.) host1: nc host2 1234 > 3.) dynamic rule with 300s gets created > 4.) dynamic rule expired after 300s (ipfw -d show: rule is gone (it > shows with flag -e)) > 5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host > > After 5) that expired rule appeared again with 300s timeout and the > firewall is again opened. > > I would expect that an expired rule could not be reanimated. The > reactivation of expired rules seems to stop if after tcp fin from > both hosts are detected. Thus if the tcp disconnection was not > successfull there are some zombie rules which could be reanimated?!? > > (also with keepalive you could reproduce it: tcp rst -> then there > is no keepalive message and the dynamic rule expires but can be > reanimated with 5)) > > Jerry > > > -- > GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen! > Jetzt dabei sein: http://www.shortview.de/wasistshortview.php?mc=sv_ext_mf@gmx >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7809E47C-7C44-43E3-A588-0C99D642FC6B>