Date: Fri, 6 Dec 2002 12:04:47 -0500 From: Ilya <mail@krel.org> To: freebsd-ipfw@freebsd.org Subject: Re: Auto-recover Message-ID: <20021206170447.GA87411@krel.org> In-Reply-To: <3DEE6D69.1080504@northnetworks.ca> References: <3DEE16D7.1020706@northnetworks.ca> <3DEE39C3.5040704@northnetworks.ca> <000901c29bbb$7bb4a0a0$4635a8c0@sloniki> <3DEE6D69.1080504@northnetworks.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
I have a following setup: fxp0 - cable fxp1 -lan fxp2 - dsl i got it running with fwd rule, so that natd is on cable, web/mail/etc is on dsl. I have two problems with current setup: 1 when dynamic rules expire, it disrupts an idle session, ssh for example. I increased net.inet.ip.fw.dyn_syn_lifetime: 300 and that gave me 5min. in man i read about keepalive. But do i understand correctly that it is only available in ipfw2 ? 2 I see strange behaviour where, an ssh session is made from cable interface for example, dynamic rules are created and all good, i dont see any connection issues, but my last rules which are set to deny all on that interface, what didnt match "setup" rules or keep-state, seem to catch ocasional traffic from target ssh server to source client. Same thing happens with www traffic, for both server and natd. A lan client opens connection to some www outside, all is good, but occasionally I see packets rejected from that server to client, which i believe should be part of connection. it doesnt bother me much, since its i dont see any adverse effect on clients, but i was wondering why it happens. a list of rules is below. thx a lot. ipfw list 00100 allow ip from any to any via lo0 00200 deny log logamount 200 ip from any to 127.0.0.0/8 00300 divert 8668 ip from any to any via fxp0 00400 fwd dsl_router ip from dsl_ip1 to any out xmit fxp0 00500 fwd dsl_router ip from dsl_ip2 to any out xmit fxp0 00600 check-state 00700 allow ip from dsl_ip1 to any keep-state via fxp2 00800 allow ip from dsl_ip2 to any keep-state via fxp2 00900 allow ip from 66.234.45.101 to any keep-state via fxp0 01000 allow ip from any to any keep-state via fxp1 01100 allow tcp from any to dsl_ip1 22,25,80,443 keep-state via fxp2 setup 01200 allow tcp from any to dsl_ip2 22,25,80,443 keep-state via fxp2 setup 01300 allow tcp from any to 66.234.45.101 22,113 keep-state via fxp0 setup 01400 allow udp from any 1024-65535,53 to dsl_ip1 53 via fxp2 01500 allow udp from any 1024-65535,53 to dsl_ip2 53 via fxp2 01600 allow udp from any 53 to dsl_ip1 1024-65535 via fxp2 01700 allow udp from any 53 to dsl_ip2 1024-65535 via fxp2 01800 allow udp from dsl_ip1 53 to any 1024-65535,53 via fxp2 01900 allow udp from dsl_ip2 53 to any 1024-65535,53 via fxp2 02000 allow icmp from any to any icmptype 3,4,11,12 02100 deny ip from any to any in recv fxp0 frag 02200 deny ip from any to any in recv fxp2 frag 65533 deny log logamount 200 ip from any to any in recv fxp0 65533 deny log logamount 200 ip from any to any in recv fxp2 65535 allow ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021206170447.GA87411>