From owner-freebsd-ipfw  Mon Sep  4 12:27:53 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from sneakerz.org (sneakerz.org [207.154.226.254])
	by hub.freebsd.org (Postfix) with ESMTP id 8D9C837B422
	for <freebsd-ipfw@freebsd.org>; Mon,  4 Sep 2000 12:27:51 -0700 (PDT)
Received: by sneakerz.org (Postfix, from userid 1023)
	id 395CF5D006; Mon,  4 Sep 2000 14:27:46 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1])
	by sneakerz.org (Postfix) with ESMTP id 37EB959206
	for <freebsd-ipfw@freebsd.org>; Mon,  4 Sep 2000 14:27:46 -0500 (CDT)
Date: Mon, 4 Sep 2000 14:27:46 -0500 (CDT)
From: missnglnk <missnglnk@sneakerz.org>
To: freebsd-ipfw@freebsd.org
Subject: Issues with ipfw(8)'s dynamic rules
Message-ID: <Pine.BSF.4.21.0009041335360.34920-100000@sneakerz.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I found some undesirable side effects with ipfw's dynamic
rules as I was toying with it today.

a) Expired Dynamic Rules Aren't Really Expired
   I noticed that once a dynamic rule expires (hitting its respective
   timeout value), it's not removed from the dynamic table (unless
   the dynamic table is full), so the connection is still allowed to
   continue instead of being dropped, the only indications that an
   expired connection is still in use is the "invalid state" messages
   that are sent to the console, and the combined analyzation of
   ipfw(8) and netstat(1) output.

   My Solution: Remove expired UDP and ICMP dynamic rules from the
                table, and for expired TCP connections send an RST
                to both sides of the connection, and then remove
                expired TCP dynamic rules from the table.

b) Premature Rule Expiration
   TCP connections will expire prematurely if the connection has been
   idle longer than the dynamic state ACK lifetime, but shorter than
   the TCP keepalive interval.  This would result in "Connection reset
   by peer" messages, but since the first issue is still present, it
   only results in "invalid state" messages being sent to the console

   My Solution: By default, set the dynamic state ACK lifetime to the
                TCP keepalive interval, warn user if he/she sets the
                dynamic state ACK lifetime to a value less than the
                TCP keepalive interval.

P.S. My solutions are only suggested solutions.
--
missnglnk@sneakerz.org
http://www.sneakerz.org/~missnglnk/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message