Date: Wed, 28 May 2003 17:52:35 +0700 (ICT) From: Olivier Nicole <on@cs.ait.ac.th> To: freebsd-questions@freebsd.org Subject: ipfw and statefull rules Message-ID: <200305281052.RAA06037@banyan.cs.ait.ac.th>
next in thread | raw e-mail | index | archive | help
Hi,
I am trying to install a standalone firewall between my LAN and my
router to outside world. Machine is a Pentium 4, 1.5 GHx, 128MB ram, 2
ethernet 3com 905B without IP defined (and one cheap ethernet card to
allow to monitor the machine).
Bridge and ipfw2 are enabled.
I'd like to have all the traffic going through statefull rules, with
some restrictions on the incoming traffic that should only go to the
servers, but quite open outgoing traffic from the clients (my clients
and servers are on the same LAN).
Statefull rules for incoming traffic to the servers are OK.
But when I set-up a statefull rule for the client outgoing traffic, the
problem arise:
39980 allow tcp from any to any setup keep-state
39990 allow udp from any to any keep-state
That should do it (icmp is treaded somewhere else).
I see the number of dynamic rules increasing to some unlimited end,
after a couple of hours of running:
firewall<root>127: sysctl net.inet.ip.fw.dyn_count
net.inet.ip.fw.dyn_count: 15910
and it continue to increase. It will not decrease event at night time
when there is nobody around.
In another hand, if I list the dynamic rules with ipfw -d list, I see
only few hundred of them (about 10% of the above) and this number is
fluctuating normally depending of the traffic.
firewall<root>125: ipfw -d list | grep "<->" | wc -l
1849
I don't understand why the numbers are different.
Also after a while net.inet.ip.fw.dyn_count will reach a sort of
maximum (way lower that the defined maximum) and the firewall will not
deliver any traffic.
firewall<root>50: sysctl -a |grep ip.fw
net.inet.ip.fw.enable: 1
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.debug: 1
net.inet.ip.fw.verbose: 1
net.inet.ip.fw.verbose_limit: 100
net.inet.ip.fw.dyn_buckets: 32768
net.inet.ip.fw.curr_dyn_buckets: 32768
net.inet.ip.fw.dyn_count: 6024
net.inet.ip.fw.dyn_max: 65535
net.inet.ip.fw.static_count: 89
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 120
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_udp_lifetime: 5
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_keepalive: 1
net.link.ether.bridge_cfg: xl0,xl1
net.link.ether.bridge: 1
net.link.ether.bridge_ipfw: 1
net.link.ether.bridge_ipf: 0
net.link.ether.bridge_ipfw_drop: 0
net.link.ether.bridge_ipfw_collisions: 0
FreeBSD firewall.cs.ait.ac.th 4.8-RELEASE FreeBSD 4.8-RELEASE #4: Wed May 28 17:32:21 ICT 2003 root@firewall.cs.ait.ac.th:/usr/src/sys/compile/SMALL i386
Bestregards,
Olivier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305281052.RAA06037>