From owner-freebsd-security  Fri Aug 10  5:25:44 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10])
	by hub.freebsd.org (Postfix) with ESMTP id E237B37B406
	for <security@FreeBSD.ORG>; Fri, 10 Aug 2001 05:25:38 -0700 (PDT)
	(envelope-from fschapachnik@vianetworks.com.ar)
Received: (from fpscha@localhost)
	by ns1.via-net-works.net.ar (8.9.3/8.9.3) id JAA81109;
	Fri, 10 Aug 2001 09:24:39 -0300 (ART)
X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f
Date: Fri, 10 Aug 2001 09:24:39 -0300
From: Fernando Schapachnik <fschapachnik@vianetworks.com.ar>
To: Jon Loeliger <jdl@jdl.com>
Cc: security@FreeBSD.ORG
Subject: Re: IPFW Dynamic Rules
Message-ID: <20010810092439.B76214@ns1.via-net-works.net.ar>
References: <E15V26p-000ILM-00@jdl.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.2.5i
In-Reply-To: <E15V26p-000ILM-00@jdl.com>; from jdl@jdl.com on Thu, Aug 09, 2001 at 09:33:10PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

En un mensaje anterior, Jon Loeliger escribió:
>      keep-state [method]
>          Upon a match, the firewall will create a dynamic rule,
>          whose default behaviour is to matching bidirectional
>          traffic between source and destination IP/port using the
>          same protocol.  The rule has a limited lifetime (con-
>          trolled by a set of sysctl(8) variables), and the life-
>          time is refreshed every time a matching packet is found.
> 
> So if the dynamic rule has the same behaviour as the origination
> rule on the same port with the same protocol, why can't packets
> simply continue to be matched against that original base rule?

Because it does it bidirectionaly. Ie, if you keep-state on outgoing,
the the reply (assuming it swaps origin-destination ports) will also
be allowed. Another difference it that it ignores, eg, TCP flags. It
means you setup a keep-state rule to match the original SYN and then
the rest of the flow gets permitted.

> Why does the dynamic rule even need to come into existence?
> 
> How many dynamic rules do you need to allow for, roughly, based on
> some simple system paramters?  Pure heuristic and guess work here?
> Markov chain arrival rate rule decay rate blah blah tune it blah blah?
> I filled the default 256 readily, and bumped it to 1024 on a whim.

Empirically, our busy servers (5 of them) need 1500-2000
dynamic rules. Of course, that depends on your traffic.

Regards.


Fernando P. Schapachnik
Planificación de red y tecnología
VIA NET.WORKS ARGENTINA S.A.
fschapachnik@vianetworks.com.ar
Tel.: (54-11) 4323-3381

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message