Date: Tue, 19 Nov 2002 08:56:12 -0800 From: Luigi Rizzo <rizzo@icir.org> To: Shawn Barnhart <swb@grasslake.net> Cc: ipfw@FreeBSD.ORG Subject: Re: Stateful rules Message-ID: <20021119085612.A67523@xorpc.icir.org> In-Reply-To: <001a01c28fea$0200c7c0$62229fc0@ad.campbellmithun.com>; from swb@grasslake.net on Tue, Nov 19, 2002 at 10:37:53AM -0600 References: <001a01c28fea$0200c7c0$62229fc0@ad.campbellmithun.com>
next in thread | previous in thread | raw e-mail | index | archive | help
those rules do not make a lot of sense. perhaps you should post your entire ruleset if you want us to understand what is going on. cheers luigi On Tue, Nov 19, 2002 at 10:37:53AM -0600, Shawn Barnhart wrote: > I've recently switched over to using the stateful capabilitites of ipfw > (4.7-STABLE). > > I have rules like: > > check state > allow tcp from my_host to any keep-state > allow udp from my_host to any keep-state > .... > deny log ip from any to any > > In that order. > > What I've noticed is that during web browsing (and only web browsing), I see > a small number of packets hitting the deny rule at the end, as if the > dynamic rule had either expired or didn't apply. I didn't notice it > impacting the actual web browsing I was doing (ie, no misdrawn pages or > other glitches). > > I haven't seen any other types of packets blocked other than web traffic; > ssh, dns, even udp-intensive games seem OK. > > Any potential explanations? > > I thought there might be some low sysctl variables, but > net.inet.ip.fw.dyn_count appears to be well below net.inet.ip.fw.dyn_max. > > One other thing I'm curious about is net.inet.ip.fw.dyn_buckets -- what does > this have to do with net.inet.ip.fw.dyn_max or dynamic rule processing? I > can't quite gleam the relationship it has with net.inet.ip.fw.dyn_max, if > there is one, or when/how/if it should be adjusted. > > -Shawn > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021119085612.A67523>