Re: Dynamic IPFW Rules

From: Drew Tomlinson (
Date: 10/18/01

From: "Drew Tomlinson" <>
To: <>
Date: Thu, 18 Oct 2001 09:44:09 -0700

----- Original Message -----
From: "Crist J. Clark" <>
To: "Drew Tomlinson" <>
Cc: <>; <freebsd-security@FreeBSD.ORG>
Sent: Thursday, October 18, 2001 1:38 AM
Subject: Re: Dynamic IPFW Rules

> On Wed, Oct 17, 2001 at 06:49:21PM -0700, Drew Tomlinson wrote:
> > ----- Original Message -----
> > From: <>
> > To: "Drew Tomlinson" <>
> > Cc: <>
> > Sent: Wednesday, October 17, 2001 4:50 PM
> > Subject: Re: Dynamic IPFW Rules
> >
> >
> > >
> > > > I have created my first firewall and it seems to be handling
> > traffic
> > > > properly (yayyyy!). However, I have noticed that my dynamic
> > don't
> > > > ever seem to expire.
> > >
> > > [snip]
> > >
> > > > 02100 1 60 (T 0, # 0) ty 0 tcp, 3139 <->
> > 80
> > >
> > > This is expired (T 0), just not removed.
> >
> > OK, thanks. Is there a way to remove those rules that have expired?
> You can remove the parent rule. IIRC, they get removed if they get
> hit. If you reach the limit, I believe it starts to overwrite expired
> rules. I would have to look at the code more closely to remember.
> Another option is to make a shell script or alias that drops expired
> rules,
> ipfw show | awk -F'[ ,]' '$5 != 0 { print }'
> Does it. I have a longer script that does this and also prints rules
> by interface,

OK so if I understand correctly, the rules stay in ipfw show even when
expired until net.inet.ip.fw.dyn_max is reached. Then new rules
overwrite expired rules, correct? So then my firewall is working
correctly based on code for 4.4-RELEASE but there is new code
in -CURRENT that will be merged into the -STABLE branch sometime in the
future that will remove the expired rules from the output of ipfw show?

And one more question: Where would I have found information on the
output of the dynamic rules? In other words, how would (should) I have
known that (T 0) was an expired rule?

Thank you for the explaination. I really enjoy *understanding* why
things work the way they do instead of just accepting that they work.



To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Dynamic IPFW Rules
    ... > Subject: Re: Dynamic IPFW Rules ... >> Another option is to make a shell script or alias that drops expired ... I have a longer script that does this and also prints rules ...
  • Re: multiple natd + ipfw, with 2 internal ips
    ... I have a little problem with my natd or ipfw configuration. ... Well you could if you set your internal interface to be in promiscuous mode and set proxy arp for that address ... is the next hop router, it uses ARP to find the MAC address of this router. ...
  • RE: Which interface do I put natd and ipfw
    ... You only NAT the public internet facing interface, ... You should turn on user ppp -nat function and not use the ipfw ... public internet use keep-state. ... All rules use via interface name to specify the interface the ...
  • Re: Freebsd IP Forwarding performance (question, and some info) [7-stable, current, em, smp]
    ... All incoming traffic from any particular interface is still serialized though. ... I've really only focused on local traffic performance with my 10gbps Chelsio setup, it should be possible to do packet forwarding from multiple input queues using that hardware and driver today. ... However, these necessarily take a cache miss or two on packet header data in order to break out the packets from the input queue into flows that can be processed independently without ordering constraints, so if those cache misses on header data are a big part of the performance of a configuration, load balancing in this manner may not help. ... Maximum PPS with one ipfw rule on UP: ...
  • RE: Dual Ethernet NIC w/ failover
    ... the shell script de-configures the ... > interface, assuming the identity of the 1st interface. ... >> cards, however I haven't seen a lot of posts regarding the ... >> availability of dual ethernet cards with working failover ...