From owner-freebsd-ipfw@freebsd.org Thu Oct 25 13:41:24 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 014EE107696D for ; Thu, 25 Oct 2018 13:41:24 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward104j.mail.yandex.net (forward104j.mail.yandex.net [5.45.198.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6766882DD9 for ; Thu, 25 Oct 2018 13:41:22 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback17o.mail.yandex.net (mxback17o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::68]) by forward104j.mail.yandex.net (Yandex) with ESMTP id 33E43580490; Thu, 25 Oct 2018 16:41:20 +0300 (MSK) Received: from smtp4j.mail.yandex.net (smtp4j.mail.yandex.net [2a02:6b8:0:1619::15:6]) by mxback17o.mail.yandex.net (nwsmtp/Yandex) with ESMTP id Z4mrJMABX6-fJsaMul6; Thu, 25 Oct 2018 16:41:20 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1540474880; bh=DX9wHYn6LM+T4vPKK3P5Un0z73edZqdMEiA4o720XTI=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=HRp9+793jfCykAk5sxmOyZvWIUU1ubDXGUxN1ZX8tnBfEhUU4bIQ61JevLVtlex79 o3cndm6B5sUpyWYADD4DwboQpGK6f+E3RHhGMliYg3sELQmhLGEx3MYe/avD1C02Ti fkuCyc8BqRi2Q0RrPPwJJka/Oz20UrVRwYn3TYOU= Received: by smtp4j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id iXPtejDXUu-fJbSPQtg; Thu, 25 Oct 2018 16:41:19 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1540474879; bh=DX9wHYn6LM+T4vPKK3P5Un0z73edZqdMEiA4o720XTI=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=hsJqSwp+OmEqWN/gvVD01+V91AzxRTp7FuV87RNBe5BwX00cgHkqZ0jicFSKEuEx3 By2EzMyr2mlv+Mai1yUSYcI7yjKLi7UA2vkbkS4puqC3J5xMVz2kXiFdIwJVzZgvmJ 6aEpAsVnBKgoHFzput/sEwA+MTaCkxg/Ts6B8LmQ= Authentication-Results: smtp4j.mail.yandex.net; dkim=pass header.i=@yandex.ru Subject: Re: net.inet.ip.fw.dyn_keep_states (was: ipfw managing rules - best practice?) To: Ole , freebsd-ipfw@freebsd.org References: <20180905112847.54287198.ole@free.de> <67544958-07fe-7ff4-b5d2-88bf85324061@yandex.ru> <20181023131220.20c700ba.ole@free.de> <20181024182252.49ee516b.ole@free.de> <6bb037c2-643d-151b-cb34-f78c97f241d4@yandex.ru> <20181025110919.61379c13.ole@free.de> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata= xsBNBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB AAHNIkFuZHJleSBWLiBFbHN1a292IDxhZUBmcmVlYnNkLm9yZz7CwHsEEwECACUCGwMGCwkI BwMCBhUIAgkKCwQWAgMBAh4BAheABQJMB/ruAhkBAAoJEAHF6gQQyKF6MLwH/3Ri/TZl9uo0 SepYWXOnxL6EaDVXDA+dLb1eLKC4PRBBjX29ttQ0KaWapiE6y5/AfzOPmRtHLrHYHjd/aiHX GMLHcYRXD+5GvdkK8iMALrZ28X0JXyuuZa8rAxWIWmCbYHNSBy2unqWgTI04Erodk90IALgM 9JeHN9sFqTM6zalrMnTzlcmel4kcjT3lyYw3vOKgoYLtsLhKZSbJoVVVlvRlGBpHFJI5AoYJ SyfXoN0rcX6k9X7Isp2K50YjqxV4v78xluh1puhwZyC0p8IShPrmrp9Oy9JkMX90o6UAXdGU KfdExJuGJfUZOFBTtNIMNIAKfMTjhpRhxONIr0emxxDOwE0ETAEXWQEIAJ2p6l9LBoqdH/0J PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+ LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAcLAXwQYAQIACQUCTAEXWQIbDAAK CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i Message-ID: <846ae8ef-be8b-08a6-6c07-ef62f8cb1a4b@yandex.ru> Date: Thu, 25 Oct 2018 16:39:25 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20181025110919.61379c13.ole@free.de> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="4PeinUYON8Ve6scFxaOZ04LVp0mHvjEJL" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2018 13:41:24 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --4PeinUYON8Ve6scFxaOZ04LVp0mHvjEJL Content-Type: multipart/mixed; boundary="VXq8KOyCgu1cI1pao52b3RvrOyCtTi6tx"; protected-headers="v1" From: "Andrey V. Elsukov" To: Ole , freebsd-ipfw@freebsd.org Message-ID: <846ae8ef-be8b-08a6-6c07-ef62f8cb1a4b@yandex.ru> Subject: Re: net.inet.ip.fw.dyn_keep_states (was: ipfw managing rules - best practice?) References: <20180905112847.54287198.ole@free.de> <67544958-07fe-7ff4-b5d2-88bf85324061@yandex.ru> <20181023131220.20c700ba.ole@free.de> <20181024182252.49ee516b.ole@free.de> <6bb037c2-643d-151b-cb34-f78c97f241d4@yandex.ru> <20181025110919.61379c13.ole@free.de> In-Reply-To: <20181025110919.61379c13.ole@free.de> --VXq8KOyCgu1cI1pao52b3RvrOyCtTi6tx Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 25.10.2018 12:09, Ole wrote: > So do you think the bug is only related to 'setup' and not to 'keep-sta= te' > rules? Or is this just a coincidence?=20 > Im reloading rules now for 1h each minute, and a ssh connection is stil= l stable. Hi, I think you do not quite understand how it works :) Dynamic states do not work automagically. In general words, you have two types of firewall rules - static and dynamic. Static rules are kept in an array and checked by firewall until some action will be applied, that will finish the search. Dynamic rules have special opcodes, that initiate the search in dynamic states. And if a packet doesn't have a match in these dynamic states, new dynamic state will be created for this packet. If some state matches a packet, then corresponding action will be applied for this packet. This is why usually "check-state" rule added to the beginning of rules. A packet will be checked first for match in dynamic states, and only then it will be checked by static rules. So, when you have many rules and states, doing `ipfw flush` will delete all static rules, but depending from keep_states sysctl variable, dynamic states can be kept or deleted. So, if you will do `ipfw -q flush` and do not add new dynamic rule, all dynamic states will expire after some time and will be deleted (regardless of the fact you have keep_states=3D1). But, when you are doing `flush` and then reload new rules, that have some dynamic rules (those that have "keep-state" or "limit" opcodes), this means that new rules will initiate the search in dynamic states, and for existing connection the state will be updated and because of this, the connection is still work. --=20 WBR, Andrey V. Elsukov --VXq8KOyCgu1cI1pao52b3RvrOyCtTi6tx-- --4PeinUYON8Ve6scFxaOZ04LVp0mHvjEJL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlvRx40ACgkQAcXqBBDI oXrnIwgAsTdExP4fylJ6N8N8SOpcNEIHFz2rDJdl9MgdeJ6Y4LBOVWdemYtUy06f VMVT3ZrZs8qohdJFdPacLyYL6bmUC22kqKaajTE/cprC7fiqfSzznnLcDiLhELps Zj161TTrVawUlc0/SiuEPhx5K52yv7/+LAj4HkrClXBNdwz0SvI6vXskkXaEOnn2 VJOeUkHcZduiS+VIgoQMCZN3x9NV05uFJfedmZMIvBPV53h/efXu3pj0t92b3ktV ipOleE8md9d7PhLmhgUFVlN4V0hulRce9lfrsi9dPSXQY9m1SjLO2QCwiTg7Gdv6 1j7yB4HOXUiV6B9Jm+SeXAiEcD7MjQ== =U4fi -----END PGP SIGNATURE----- --4PeinUYON8Ve6scFxaOZ04LVp0mHvjEJL--