Re: Unexpected keep state behaviour in ipfw

From: dfolkins (dfolkins@comcast.net)
Date: 09/18/02 

Date: Tue, 17 Sep 2002 23:48:01 -0400
From: dfolkins <dfolkins@comcast.net>
To: freebsd-security@FreeBSD.ORG

> net.inet.ip.fw.dyn_ack_lifetime is a tradeoff between keeping active
> connections alive and minimising the impact of massive numbers of
> dynamic rules. I also feel that 300 seconds is too short (note that
> IPFilter uses 120 hours, which I think is far too long). My problem
> is that the connections are being dropped after less than
> net.inet.ip.fw.dyn_ack_lifetime seconds of idle time. I have tried
> juggling net.inet.tcp.keepidle, net.inet.tcp.keepintvl and
> net.inet.ip.fw.dyn_ack_lifetime so that the latter is longer than
> the former (in ipfw) and this still didn't work. It would appear
> that the dynamic rule timers are never being reset.
>
> >as to why your ssh connection stays alive even through the night - i
> >suspect that is because your ssh server on your firewall has a
> >configuration setting that makes it send keep-alives, i.e. your
> >clientaliveinterval in sshd_config is set to some value which is less
> >than your net.inet.ip.fw.dyn_ack_lifetime value.
>
> Nope. I'm using the default ClientAliveInterval value (ie disabled).
>
> Based on comments in another thread here, I suspect the underlying
> problem is that ipfw dynamic rules don't work with ipnat. (Though
> I don't understand why - ipnat should be invisible to ipfw). My
> ssh connectins remain working courtesy of either normal or ipfw2
> keepalives (since that connection isn't NAT'd).
>
well, given this description, i guess maybe you are right, and its having
problems with ipnat. i had some problems with natd/ipfw myself (cf recent
thread in -security), so its possible ipfw doesnt behave well with ipnat
either. maybe the solution is to switch to ipfilter after all...

sorry i couldnt be more helpful. 

--
dfolkins
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Policy routing with IPFW
    ... but connections originating from the box itself do not work. ... > Any ideas as to how to make this rulebase work with policy routing for ... > I think it is interfering with the dynamic rules. ... > capabilites of stateful filtering if possible. ...
    (FreeBSD-Security)
  • Re: Unexpected keep state behaviour in ipfw
    ... >to a number you think appropriate for idle established connections to ... net.inet.ip.fw.dyn_ack_lifetime seconds of idle time. ... problem is that ipfw dynamic rules don't work with ipnat. ...
    (FreeBSD-Security)
  • Re: ipfw limit src-addr woes
    ... 80 in via if0 setup limit src-addr 10 ... Use the command "ipfw -d show" to see what connections are matching ... Why is it that only 20 connections have been accounted for by ipfw's dynamic rules but there are actually 113 active connections from that IP at the moment? ... The limit src-addr is 75. ...
    (freebsd-net)
  • Re: ipfw limit src-addr woes
    ... 80 in via if0 setup limit src-addr 10 ... Use the command "ipfw -d show" to see what connections are matching ... Why is it that only 20 connections have been accounted for by ipfw's dynamic rules but there are actually 113 active connections from that IP at the moment? ... The limit src-addr is 75. ...
    (freebsd-questions)
  • Re: ipfw question
    ... # Pass and log all incoming ftp-data connections. ... ipfw add allow log tcp from any 20 to any in setup keep-state ... This way only the packets related to one of the states will pass ...
    (freebsd-questions)