Date: Sun, 22 Apr 2012 01:31:44 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: "Dmitry S. Kasterin" <dmk.sbor@gmail.com> Cc: freebsd-net@freebsd.org, Kevin Oberman <kob6558@gmail.com> Subject: Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK states Message-ID: <20120421222621.O91148@sola.nimnet.asn.au> In-Reply-To: <CAJkxAbxwc1Xq7S9Hvkwg-ZtTW5GpOWv9ceHYRCa_WBJipS54%2BQ@mail.gmail.com> References: <CAJkxAbyMEYZ4pYu=z4Sfwdqtzh=PjhHE4qrbSsyL34YE9TnXZQ@mail.gmail.com> <CAJkxAbyi7hx9Dugtw5-Md1y77JRzOu3bygS8ntfQg%2Bkw1KZ63w@mail.gmail.com> <CAN6yY1uRrfv0Bdeb%2Btosna8O8ajD_H1j7N=akL7PS8XC3X09qA@mail.gmail.com> <CAHu1Y72HG00_yv0wyk_7rRC1bb0SNa%2BcEOoXZTALV6bkBj207g@mail.gmail.com> <CAN6yY1s608M5coYP76OvBvOqd5HqZFyaiVb8PdviGFVN-Do1sg@mail.gmail.com> <CAJkxAbyG1%2Bkc8C_V8Ehr7cuYuaGm0VQ1C6gfXJUp1_7Vh4_zug@mail.gmail.com> <CAJkxAbwYUtcyXGFEiXiZXLEzf9EPTTwdq1-y-ngT6OuKXk1o2A@mail.gmail.com> <CAN6yY1tHvKhk4PLTmS6Yv9PvNoKdBV_fhR5UhKM2_ua8zh-d0Q@mail.gmail.com> <CAJkxAbxwc1Xq7S9Hvkwg-ZtTW5GpOWv9ceHYRCa_WBJipS54%2BQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 21 Apr 2012 15:41:30 +0400, Dmitry S. Kasterin wrote: [..] > 9.0-STABLE / custom kernel > > > Also, if > > you choose to use stateful TCP filtering, it is probably best to do it > > in the manner shown in the ipfw(8) man page under DYNAMIC RULES. This > > is very different from the way you did it. > > The "DYNAMIC RULES" section gives the following recommendation: > ipfw add check-state > ipfw add deny tcp from any to any established > ipfw add allow tcp from my-net to any setup keep-state > > Is the second rule necessary? Probably not where default policy is deny, but maybe instructive there. When using stateful TCP rules, you 'should' never see any established packets that aren't part of a dynamic session; those that are will be taken care of by the check-state, assuming they don't arrive beyond timeouts - and counted, both ways, at the setup keep-state rule. You'll likely see quite a few supposedly 'established' packets from bots scanning the planet in general, usually but not only from somewhere:80. Add log to that deny if curious about such background radiation, and set sysctl net.inet.tcp.log_in_vain=1 if obsessively curious :) Like Kevin, I use dynamic rules only for some outbound UDP, but here on low-bandwidth systems where performance is scarcely an issue, nor DoS. For a good example using both stateless and stateful rules you may find the /etc/rc.firewall 'workstation' ruleset useful. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120421222621.O91148>