Date: Mon, 8 Apr 2002 12:20:30 +0200 From: Paulius Bulotas <paulius@kaktusas.org> To: freebsd-questions@freebsd.org Subject: ipfw, smtp and dynamic rules (expiration?) Message-ID: <20020408102030.GA62618@kaktusas.org>
next in thread | raw e-mail | index | archive | help
Hello, this weekend enabled ipfw with stateful rules on 4.4-Release. It's strange, that there are plenty connections that for some reason doesn't match dynamic rules. My ruleset looks following: 01000 check-state ... 03000 allow tcp from any to me smtp in keep-state setup ... 07000 allow tcp from me to any keep-state out setup 65000 deny log logamount 0 ip from any to me in What I get in ipfw.log is: 65000 Deny TCP 160.245.104.8:25 191.106.39.173:1690 in via ep0 Suppose, 191.106.39.173 is me. It seems, that was connection from me:1690 to some:25 and then it doesn't create dynamic rule? (or it expired?) And then grepping ipfw s | grep 160.245.104.8 gives: 03000 28 3019 (T 0, # 10) ty 0 tcp, 160.245.104.8 56739 <-> 191.106.39.173 25 So, the question would be, how does it happen, that these connections are logged? (and initiated ;) Maybe dynamic rules expire? But then there must be long period for expiration (net.inet.ip.fw.dyn_ack_lifetime? which I have set to 600), and smtp seems to be more reliable protocol ;) The same happens with http, but there could be keep-alive problem (maybe). host 160.245.104.8 is running sendmail. TIA Paulius To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020408102030.GA62618>