Date: Fri, 10 Aug 2001 09:24:39 -0300 From: Fernando Schapachnik <fschapachnik@vianetworks.com.ar> To: Jon Loeliger <jdl@jdl.com> Cc: security@FreeBSD.ORG Subject: Re: IPFW Dynamic Rules Message-ID: <20010810092439.B76214@ns1.via-net-works.net.ar> In-Reply-To: <E15V26p-000ILM-00@jdl.com>; from jdl@jdl.com on Thu, Aug 09, 2001 at 09:33:10PM -0500 References: <E15V26p-000ILM-00@jdl.com>
next in thread | previous in thread | raw e-mail | index | archive | help
En un mensaje anterior, Jon Loeliger escribió: > keep-state [method] > Upon a match, the firewall will create a dynamic rule, > whose default behaviour is to matching bidirectional > traffic between source and destination IP/port using the > same protocol. The rule has a limited lifetime (con- > trolled by a set of sysctl(8) variables), and the life- > time is refreshed every time a matching packet is found. > > So if the dynamic rule has the same behaviour as the origination > rule on the same port with the same protocol, why can't packets > simply continue to be matched against that original base rule? Because it does it bidirectionaly. Ie, if you keep-state on outgoing, the the reply (assuming it swaps origin-destination ports) will also be allowed. Another difference it that it ignores, eg, TCP flags. It means you setup a keep-state rule to match the original SYN and then the rest of the flow gets permitted. > Why does the dynamic rule even need to come into existence? > > How many dynamic rules do you need to allow for, roughly, based on > some simple system paramters? Pure heuristic and guess work here? > Markov chain arrival rate rule decay rate blah blah tune it blah blah? > I filled the default 256 readily, and bumped it to 1024 on a whim. Empirically, our busy servers (5 of them) need 1500-2000 dynamic rules. Of course, that depends on your traffic. Regards. Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010810092439.B76214>