From owner-freebsd-net Wed Feb 9 10:50:37 2000 Delivered-To: freebsd-net@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by builder.freebsd.org (Postfix) with ESMTP id A7CB0412B; Wed, 9 Feb 2000 10:50:26 -0800 (PST) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id TAA38288; Wed, 9 Feb 2000 19:50:14 +0100 (CET) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200002091850.TAA38288@info.iet.unipi.it> Subject: HEADS-UP, upcoming changes to ipfw: keep-state To: current@freebsd.org Date: Wed, 9 Feb 2000 19:50:14 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [Bcc to -net as also relevant there] People, in the next day or so, with Jordan's approval, and in response to many queries i got about this, i am going to commit to -current (and then to -stable when it settles a bit) some ipfw patches which make the firewall stateful (only if you use the new features; otherwise ipfw behaves as usual). This will let you write things like (taken from a live -current): rizzo# ipfw show 00100 313 15907 allow tcp from any to any keep-state setup 00200 0 0 deny tcp from any to any 65535 1433 309926 allow ip from any to any ## Dynamic rules: 00100 279 13151 tcp 131.114.9.26 513 <-> 131.114.9.236 where the 'Dynamic rules' part is generated as a result of a match of rule 100. This should be useful to protect slow machines from attacks such as stream.c and the like. Also, the code should be fully integrated with bridging and dummynet. I would like people to give a try to the new code, point out bugs and possibly suggest enhancements if they have some ideas. The way the code works now: dynamic rules match the tuple They are stored in a hash table, whose size is configurable through a sysctl variable (default is 256). The max number of dynamic rules is limited with another sysctl variable (default 1000, but it can easily go up 2 orders of magnitude i think). When the max # of dynamic rules is reached, new ones are not added until the old ones expire. The expire time is set again using sysctl variables, defaults to a few seconds for SYN/FIN/RST and minutes for regular packets. (this will not save you from idle ssh/telnet connections timing out, but i have seen the same behaviour with commercial firewalls as well). Dynamic rules are checked before the whole ruleset (although by the time i commit the code there will be probably a way to tell exactly at which point to check dynamic rules). Note, this behaviour is probably appropriate for a workstation. If you build a router+ipfw/bridge+ipfw, then you might want different types of dynamic rules which only check part of the headers -- HERE I NEED YOUR INPUT!!! And of course, if you need some customized version of this stuff, feel free to talk to me. cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message