From owner-freebsd-net  Wed Jan 29 13:35:14 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5450437B401
	for <freebsd-net@freebsd.org>; Wed, 29 Jan 2003 13:35:13 -0800 (PST)
Received: from marstons.services.quay.plus.net (marstons.services.quay.plus.net [212.159.14.223])
	by mx1.FreeBSD.org (Postfix) with SMTP id 1C7D943F93
	for <freebsd-net@freebsd.org>; Wed, 29 Jan 2003 13:35:07 -0800 (PST)
	(envelope-from trent@limekiln.vcisp.net)
Received: (qmail 26381 invoked by uid 10001); 29 Jan 2003 21:35:00 -0000
Received: from limekiln.vcisp.net (212.159.16.110)
  by marstons.services.quay.plus.net with SMTP; 29 Jan 2003 21:35:00 -0000
Received: by limekiln.vcisp.net (Postfix, from userid 1001)
	id ED90892; Wed, 29 Jan 2003 21:34:50 +0000 (GMT)
Date: Wed, 29 Jan 2003 21:34:50 +0000
From: Trent Nelson <trent@limekiln.vcisp.net>
To: freebsd-net@freebsd.org
Subject: ipfw keep-state problem
Message-ID: <20030129213450.GA6421@limekiln.vcisp.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Hi,

    I'm using ipfw with dynamic rules, and I'm having problems.  Consi-
    der the following rules:

        ipfw add check-state
        ipfw add deny tcp from any to any established
        ipfw add pass ip from me to any

        ipfw add pass tcp from any to me ssh keep-state setup
        ipfw add pass tcp from any to me telnet keep-state setup

    Which is basically from the man page.  The problem is that after
    establishing a successful telnet/ssh session, I have about 90-120
    seconds time to have some traffic pass over the session before it
    dies.  Now when I say die, the connection is not dropped initially,
    it just appears that all traffic I sent is blocked.

    If I had to take a wild guess, I'd say that the keep-state setup
    rules added dynamically are expiring too quickly, and thus, subseq-
    uent traffic is hitting the ``deny tcp from any to any established''
    rule.

    I'm using ipfw v1 and 4.7-STABLE as of a few days ago.  Any
    thoughts?

    Regards,

        Trent.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message