Re: Unexpected keep state behaviour in ipfw

From: Peter Jeremy (peter.jeremy@alcatel.com.au)
Date: 09/17/02


Date: Wed, 18 Sep 2002 07:00:04 +1000
From: Peter Jeremy <peter.jeremy@alcatel.com.au>
To: dfolkins <dfolkins@comcast.net>

On 2002-Sep-17 02:55:36 -0400, dfolkins <dfolkins@comcast.net> wrote:
>first, your "idle time" for standard tcp connections is controlled by a
>sysctl variable named net.inet.ip.fw.dyn_ack_lifetime. if it is set too
>short (default is 300 seconds, i think) you can always just reset it to a
>longer value, either from command prompt or from sysctl.conf. just set it
>to a number you think appropriate for idle established connections to
>remain
>active. e.g. if you want your idle ftp connections to stay alive for 10
>minutes, set that variable to 600. there are a bunch of related variables.
>to see them all just do a "sysctl -a |grep dyn".

net.inet.ip.fw.dyn_ack_lifetime is a tradeoff between keeping active
connections alive and minimising the impact of massive numbers of
dynamic rules. I also feel that 300 seconds is too short (note that
IPFilter uses 120 hours, which I think is far too long). My problem
is that the connections are being dropped after less than
net.inet.ip.fw.dyn_ack_lifetime seconds of idle time. I have tried
juggling net.inet.tcp.keepidle, net.inet.tcp.keepintvl and
net.inet.ip.fw.dyn_ack_lifetime so that the latter is longer than
the former (in ipfw) and this still didn't work. It would appear
that the dynamic rule timers are never being reset.

>as to why your ssh connection stays alive even through the night - i
>suspect that is because your ssh server on your firewall has a
>configuration setting that makes it send keep-alives, i.e. your
>clientaliveinterval in sshd_config is set to some value which is less
>than your net.inet.ip.fw.dyn_ack_lifetime value.

Nope. I'm using the default ClientAliveInterval value (ie disabled).

Based on comments in another thread here, I suspect the underlying
problem is that ipfw dynamic rules don't work with ipnat. (Though
I don't understand why - ipnat should be invisible to ipfw). My
ssh connectins remain working courtesy of either normal or ipfw2
keepalives (since that connection isn't NAT'd).

Peter

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message