From owner-freebsd-questions@FreeBSD.ORG Wed May 28 03:51:04 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A9F037B401 for ; Wed, 28 May 2003 03:51:04 -0700 (PDT) Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3603143F75 for ; Wed, 28 May 2003 03:51:03 -0700 (PDT) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by mail.cs.ait.ac.th (8.12.3/8.9.3) with ESMTP id h4SAoxTN053309 for ; Wed, 28 May 2003 17:51:01 +0700 (ICT) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id RAA06037; Wed, 28 May 2003 17:52:35 +0700 (ICT) Date: Wed, 28 May 2003 17:52:35 +0700 (ICT) Message-Id: <200305281052.RAA06037@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole To: freebsd-questions@freebsd.org X-Virus-Scanned: by amavisd-milter (http://amavis.org/) Subject: ipfw and statefull rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 10:51:05 -0000 Hi, I am trying to install a standalone firewall between my LAN and my router to outside world. Machine is a Pentium 4, 1.5 GHx, 128MB ram, 2 ethernet 3com 905B without IP defined (and one cheap ethernet card to allow to monitor the machine). Bridge and ipfw2 are enabled. I'd like to have all the traffic going through statefull rules, with some restrictions on the incoming traffic that should only go to the servers, but quite open outgoing traffic from the clients (my clients and servers are on the same LAN). Statefull rules for incoming traffic to the servers are OK. But when I set-up a statefull rule for the client outgoing traffic, the problem arise: 39980 allow tcp from any to any setup keep-state 39990 allow udp from any to any keep-state That should do it (icmp is treaded somewhere else). I see the number of dynamic rules increasing to some unlimited end, after a couple of hours of running: firewall127: sysctl net.inet.ip.fw.dyn_count net.inet.ip.fw.dyn_count: 15910 and it continue to increase. It will not decrease event at night time when there is nobody around. In another hand, if I list the dynamic rules with ipfw -d list, I see only few hundred of them (about 10% of the above) and this number is fluctuating normally depending of the traffic. firewall125: ipfw -d list | grep "<->" | wc -l 1849 I don't understand why the numbers are different. Also after a while net.inet.ip.fw.dyn_count will reach a sort of maximum (way lower that the defined maximum) and the firewall will not deliver any traffic. firewall50: sysctl -a |grep ip.fw net.inet.ip.fw.enable: 1 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 100 net.inet.ip.fw.dyn_buckets: 32768 net.inet.ip.fw.curr_dyn_buckets: 32768 net.inet.ip.fw.dyn_count: 6024 net.inet.ip.fw.dyn_max: 65535 net.inet.ip.fw.static_count: 89 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 120 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_udp_lifetime: 5 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_keepalive: 1 net.link.ether.bridge_cfg: xl0,xl1 net.link.ether.bridge: 1 net.link.ether.bridge_ipfw: 1 net.link.ether.bridge_ipf: 0 net.link.ether.bridge_ipfw_drop: 0 net.link.ether.bridge_ipfw_collisions: 0 FreeBSD firewall.cs.ait.ac.th 4.8-RELEASE FreeBSD 4.8-RELEASE #4: Wed May 28 17:32:21 ICT 2003 root@firewall.cs.ait.ac.th:/usr/src/sys/compile/SMALL i386 Bestregards, Olivier