From owner-freebsd-questions@freebsd.org  Sun Jan 24 11:08:15 2021
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 04C274F7F0F
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Sun, 24 Jan 2021 11:08:15 +0000 (UTC)
 (envelope-from bsduser@cloudzeeland.nl)
Received: from poseidon.cloudzeeland.nl (cloudzeeland.xs4all.nl
 [83.161.133.58])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "cloudzeeland.nl", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4DNqwt0MXvz4rsj
 for <freebsd-questions@freebsd.org>; Sun, 24 Jan 2021 11:08:13 +0000 (UTC)
 (envelope-from bsduser@cloudzeeland.nl)
Received: from poseidon.cloudzeeland.nl (cloudzeeland.nl [10.10.10.36])
 by poseidon.cloudzeeland.nl (Postfix) with ESMTP id 2C74119357;
 Sun, 24 Jan 2021 12:08:06 +0100 (CET)
Received: from [10.10.10.34] (pion1.rpicloud.nl [82.176.127.71])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by poseidon.cloudzeeland.nl (Postfix) with ESMTPSA id E43D219358;
 Sun, 24 Jan 2021 12:08:05 +0100 (CET)
Subject: Re: IPFW | Too many dynamic rules?
To: Michael Sierchio <kudzu@tenebras.com>,
 FreeBSD Mailing List <freebsd-questions@freebsd.org>
References: <e73687db-0f6e-9d45-c9c9-57bbfd1ae8e9@cloudzeeland.nl>
 <CAHu1Y73Qcz7G2gX1_2zM0nJp_c5qA604Z=U9xxNZL_g_cJNhxA@mail.gmail.com>
 <b567dd97-4e1a-7870-d0f5-c477fc488403@cloudzeeland.nl>
 <CAHu1Y73ynYG18KcsYcbjazC45g8rchPJppQ8Apja0Fwhsr5fyQ@mail.gmail.com>
From: Jos Chrispijn <bsduser@cloudzeeland.nl>
Organization: Userland rocks!
Message-ID: <3cfe3c72-453b-e54e-3c56-9abf80f45be3@cloudzeeland.nl>
Date: Sun, 24 Jan 2021 12:08:07 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.6.1
MIME-Version: 1.0
In-Reply-To: <CAHu1Y73ynYG18KcsYcbjazC45g8rchPJppQ8Apja0Fwhsr5fyQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
X-Rspamd-Queue-Id: 4DNqwt0MXvz4rsj
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of bsduser@cloudzeeland.nl designates
 83.161.133.58 as permitted sender) smtp.mailfrom=bsduser@cloudzeeland.nl
X-Spamd-Result: default: False [-2.29 / 15.00]; RCVD_TLS_LAST(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[];
 FROM_HAS_DN(0.00)[];
 RBL_DBL_DONT_QUERY_IPS(0.00)[83.161.133.58:from];
 R_SPF_ALLOW(-0.20)[+a]; NEURAL_HAM_LONG(-1.00)[-1.000];
 MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[cloudzeeland.nl];
 ARC_NA(0.00)[]; HAS_ORG_HEADER(0.00)[];
 RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.988];
 RCPT_COUNT_TWO(0.00)[2];
 SPAMHAUS_ZRD(0.00)[83.161.133.58:from:127.0.2.255];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:3265, ipnet:83.160.0.0/14, country:NL];
 SUBJECT_ENDS_QUESTION(1.00)[];
 MAILMAN_DEST(0.00)[freebsd-questions]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2021 11:08:15 -0000

Thanks for your help, Michael.

Knowing so little about ipfw, I think it will be time to raise my 
learning curve on it. Can you hint me where I can get more information 
on nub level? Especially the remark Michael made

"The lifetime of dynamic rules is, by default, way too long."

intriques me. What is the exact result shortening them? Do I undermine 
ipfw protection by giving it too less or too much time to check incoming 
requests?

Best, Jos

Op 22-1-21 om 1:58 schreef Michael Sierchio:
>  
> Vell succes!
> 
Dank je!