Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 17 Oct 2001 15:12:47 -0700
From:      "Drew Tomlinson" <drew@mykitchentable.net>
To:        <freebsd-security@freebsd.org>
Subject:   Dynamic IPFW Rules
Message-ID:  <005d01c15758$da965b70$cd2a6ba5@lc.ca.gov>
next in thread | raw e-mail | index | archive | help 
I have created my first firewall and it seems to be handling traffic
properly (yayyyy!).  However, I have noticed that my dynamic rules don't
ever seem to expire.  I have read the man pages and learned that sysctl
variables control the amount of time the rules should live.  I found
these variables listed at http://www.iet.unipi.it/~luigi/ip_dummynet/
(isn't google great?):

net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 20
net.inet.ip.fw.dyn_rst_lifetime: 5
net.inet.ip.fw.dyn_short_lifetime: 5
	Lifetime (in seconds) for various types of dynamic rules.

I assume these values are the default and verified that my system is set
this way.  So unless I'm missing something, no rule should live longer
than 5 minutes unless it remains active.  But in looking at my rules, it
seems that my dynamic rules never expire.  Is there a way to show when
the last time a dynamic rule was matched?  I found ipfw -at list and
that will show times for my static rules but not the dynamic ones.

If you look at my rules below, you will see dynamic connections from
192.168.1.4 to 64.21.143.23:80.  I'm pretty sure this is from a cron job
I have run every hour where lynx sends a URL to zoneedit.com to update
my dynamic IP but as you can see, I have lots of these rules.  Why are
they still there?  How can I begin to find out what's going on?

Thanks for any pointers!

Drew

--------------------------------------
My network setup:

       ISP
        |
        | IP is DHCP (RFC 1918 & draft-manning nets inbound blocked
here)
        |
 ADSL Modem/Router (provides DNS & NAT)
        |192.168.10.1 (RFC 1918 & draft-manning nets outbound blocked
here)
        |
        |192.168.10.2 (ed1)
     Firewall
        |
        |192.168.1.2 (ed0)
        |
Internal Network 192.168.1.0/24

-------------------------------------
Firewall rules:

blacksheep# ipfw show
00100     0       0 allow ip from any to any via lo0
00200     0       0 deny log ip from any to 127.0.0.0/8
00300     0       0 deny log ip from 192.168.1.0/24 to any in recv ed1
00400     0       0 deny log ip from not 192.168.1.0/24 to any in recv
ed0
00500 30887 6166212 allow tcp from any to any established
00600   550   25600 allow tcp from any to 192.168.1.0/24 21,22,25,80,143
setup
00700     0       0 allow tcp from any to 192.168.10.2 21,22 setup
00800     0       0 allow icmp from any to any
00900     0       0 allow icmp from any to any icmptype 3,4,11,12
01000     0       0 allow udp from 206.13.19.133 123 to 192.168.1.4 123
01100     0       0 allow udp from 165.227.1.1 123 to 192.168.1.4 123
01200     0       0 allow udp from 63.192.96.2 123 to 192.168.1.4 123
01300     0       0 allow udp from 63.192.96.3 123 to 192.168.1.4 123
01400     0       0 allow udp from 132.239.254.49 123 to 192.168.1.4 123
01500  1086  120543 allow udp from 192.168.10.1 to any
01600  1084   75255 allow udp from any to 192.168.10.1
01700     0       0 allow gre from 165.66.1.20 to any
01800     0       0 allow gre from any to 165.66.1.20
01900     0       0 check-state
02000     2     120 allow ip from 192.168.10.2 to any keep-state out
xmit ed1
02100   681   53189 allow ip from 192.168.1.0/24 to any keep-state via
ed0
65500     6     288 deny log ip from any to any
65535     0       0 allow ip from any to any
## Dynamic rules:
02100 1 60 (T 0, # 0) ty 0 tcp, 192.168.1.4 3139 <-> 64.21.143.23 80
02100 1 60 (T 0, # 1) ty 0 tcp, 192.168.1.4 3138 <-> 64.21.143.23 80
02100 1 60 (T 0, # 2) ty 0 tcp, 192.168.1.4 3137 <-> 64.21.143.23 80
02100 1 60 (T 0, # 3) ty 0 tcp, 192.168.1.4 3136 <-> 64.21.143.23 80
02100 1 60 (T 0, # 4) ty 0 tcp, 192.168.1.4 3143 <-> 64.21.143.23 80
02100 1 60 (T 0, # 5) ty 0 tcp, 192.168.1.4 3142 <-> 64.21.143.23 80
02100 1 60 (T 0, # 6) ty 0 tcp, 192.168.1.4 3141 <-> 64.21.143.23 80
02100 1 60 (T 0, # 7) ty 0 tcp, 192.168.1.4 3140 <-> 64.21.143.23 80
02100 1 60 (T 0, # 8) ty 0 tcp, 192.168.1.4 3147 <-> 64.21.143.23 80
02100 1 60 (T 0, # 9) ty 0 tcp, 192.168.1.4 3146 <-> 64.21.143.23 80
02100 1 60 (T 0, # 10) ty 0 tcp, 192.168.1.4 3145 <-> 64.21.143.23 80
02100 1 60 (T 0, # 11) ty 0 tcp, 192.168.1.4 3144 <-> 64.21.143.23 80
02100 1 60 (T 0, # 12) ty 0 tcp, 192.168.1.4 3151 <-> 64.21.143.23 80
02100 1 60 (T 0, # 15) ty 0 tcp, 192.168.1.4 3148 <-> 64.21.143.23 80
02100 1 60 (T 0, # 16) ty 0 tcp, 192.168.1.4 3155 <-> 64.21.143.23 80
02100 1 60 (T 0, # 17) ty 0 tcp, 192.168.1.4 3154 <-> 64.21.143.23 80
02100 1 60 (T 0, # 18) ty 0 tcp, 192.168.1.4 3153 <-> 64.21.143.23 80
02100 1 60 (T 0, # 19) ty 0 tcp, 192.168.1.4 3152 <-> 64.21.143.23 80
02100 1 60 (T 0, # 20) ty 0 tcp, 192.168.1.4 3159 <-> 64.21.143.23 80
02100 1 60 (T 0, # 21) ty 0 tcp, 192.168.1.4 3158 <-> 64.21.143.23 80
02100 1 60 (T 0, # 22) ty 0 tcp, 192.168.1.4 3157 <-> 64.21.143.23 80
02100 1 60 (T 0, # 23) ty 0 tcp, 192.168.1.4 3156 <-> 64.21.143.23 80
02100 1 60 (T 0, # 24) ty 0 tcp, 192.168.1.4 3163 <-> 64.21.143.23 80
02100 1 60 (T 0, # 25) ty 0 tcp, 192.168.1.4 3162 <-> 64.21.143.23 80
02100 1 60 (T 0, # 26) ty 0 tcp, 192.168.1.4 3161 <-> 64.21.143.23 80
02100 1 60 (T 0, # 27) ty 0 tcp, 192.168.1.4 3160 <-> 64.21.143.23 80
02100 1 60 (T 0, # 28) ty 0 tcp, 192.168.1.4 3167 <-> 64.21.143.23 80
02100 1 60 (T 0, # 29) ty 0 tcp, 192.168.1.4 3166 <-> 64.21.143.23 80
02100 1 60 (T 0, # 30) ty 0 tcp, 192.168.1.4 3165 <-> 64.21.143.23 80
02100 1 60 (T 0, # 31) ty 0 tcp, 192.168.1.4 3164 <-> 64.21.143.23 80
02100 1 60 (T 0, # 35) ty 0 tcp, 192.168.1.4 3168 <-> 64.21.143.23 80
02100 1 60 (T 0, # 36) ty 0 tcp, 192.168.1.4 3175 <-> 64.21.143.23 80
02100 1 60 (T 0, # 37) ty 0 tcp, 192.168.1.4 3174 <-> 64.21.143.23 80
02100 1 60 (T 0, # 40) ty 0 tcp, 192.168.1.4 3179 <-> 64.21.143.23 80
02100 1 60 (T 0, # 41) ty 0 tcp, 192.168.1.4 3178 <-> 64.21.143.23 80
02100 1 60 (T 0, # 42) ty 0 tcp, 192.168.1.4 3177 <-> 64.21.143.23 80
02100 1 60 (T 0, # 43) ty 0 tcp, 192.168.1.4 3176 <-> 64.21.143.23 80
02100 1 60 (T 0, # 44) ty 0 tcp, 192.168.1.4 3183 <-> 64.21.143.23 80
02100 1 60 (T 0, # 45) ty 0 tcp, 192.168.1.4 3182 <-> 64.21.143.23 80
02100 1 60 (T 0, # 46) ty 0 tcp, 192.168.1.4 3181 <-> 64.21.143.23 80
02100 1 60 (T 0, # 47) ty 0 tcp, 192.168.1.4 3180 <-> 64.21.143.23 80
02100 1 60 (T 0, # 48) ty 0 tcp, 192.168.1.4 3187 <-> 64.21.143.23 80
02100 1 60 (T 0, # 49) ty 0 tcp, 192.168.1.4 3186 <-> 64.21.143.23 80
02100 1 60 (T 0, # 50) ty 0 tcp, 192.168.1.4 3185 <-> 64.21.143.23 80
02100 1 60 (T 0, # 51) ty 0 tcp, 192.168.1.4 3184 <-> 64.21.143.23 80
02100 1 60 (T 0, # 52) ty 0 tcp, 192.168.1.4 3191 <-> 64.21.143.23 80
02100 1 60 (T 0, # 53) ty 0 tcp, 192.168.1.4 3190 <-> 64.21.143.23 80
02100 1 60 (T 0, # 54) ty 0 tcp, 192.168.1.4 3189 <-> 64.21.143.23 80
02100 1 60 (T 0, # 55) ty 0 tcp, 192.168.1.4 3188 <-> 64.21.143.23 80
02100 1 60 (T 0, # 60) ty 0 tcp, 192.168.1.4 3199 <-> 64.21.143.23 80
02100 1 60 (T 0, # 61) ty 0 tcp, 192.168.1.4 3198 <-> 64.21.143.23 80
02100 1 60 (T 0, # 62) ty 0 tcp, 192.168.1.4 3197 <-> 64.21.143.23 80
02100 1 44 (T 0, # 68) ty 0 tcp, 192.168.1.4 3192 <-> 64.136.17.33 25
02100 1 44 (T 0, # 93) ty 0 tcp, 192.168.1.4 3169 <-> 64.136.17.33 25
02100 1 44 (T 0, # 106) ty 0 tcp, 192.168.1.4 3170 <-> 216.136.204.21 25
02100 1 44 (T 0, # 107) ty 0 tcp, 192.168.1.4 3171 <-> 216.136.204.21 25
02100 1 44 (T 0, # 108) ty 0 tcp, 192.168.1.4 3172 <-> 216.136.204.21 25
02100 1 44 (T 0, # 109) ty 0 tcp, 192.168.1.4 3173 <-> 216.136.204.21 25
02100 1 44 (T 0, # 113) ty 0 tcp, 192.168.1.4 3193 <-> 216.136.204.21 25
02100 1 44 (T 0, # 114) ty 0 tcp, 192.168.1.4 3194 <-> 216.136.204.21 25
02100 1 44 (T 0, # 115) ty 0 tcp, 192.168.1.4 3195 <-> 216.136.204.21 25
02100 1 44 (T 0, # 116) ty 0 tcp, 192.168.1.4 3196 <-> 216.136.204.21 25
02100 1 60 (T 0, # 120) ty 0 tcp, 192.168.1.4 3131 <-> 64.21.143.23 80
02100 1 60 (T 0, # 124) ty 0 tcp, 192.168.1.4 3135 <-> 64.21.143.23 80
02100 1 60 (T 0, # 125) ty 0 tcp, 192.168.1.4 3134 <-> 64.21.143.23 80
02100 1 60 (T 0, # 126) ty 0 tcp, 192.168.1.4 3133 <-> 64.21.143.23 80
02100 1 60 (T 0, # 127) ty 0 tcp, 192.168.1.4 3132 <-> 64.21.143.23 80
02100 1 44 (T 0, # 152) ty 0 tcp, 192.168.1.4 3216 <-> 216.136.204.21 25
02100 1 44 (T 0, # 153) ty 0 tcp, 192.168.1.4 3217 <-> 216.136.204.21 25
02100 1 44 (T 0, # 154) ty 0 tcp, 192.168.1.4 3218 <-> 216.136.204.21 25
02100 1 44 (T 0, # 155) ty 0 tcp, 192.168.1.4 3219 <-> 216.136.204.21 25
02100 1 44 (T 0, # 179) ty 0 tcp, 192.168.1.4 3215 <-> 64.136.17.33 25
02100 1 60 (T 0, # 192) ty 0 tcp, 192.168.1.4 3203 <-> 64.21.143.23 80
02100 1 60 (T 0, # 193) ty 0 tcp, 192.168.1.4 3202 <-> 64.21.143.23 80
02100 1 60 (T 0, # 194) ty 0 tcp, 192.168.1.4 3201 <-> 64.21.143.23 80
02100 1 60 (T 0, # 195) ty 0 tcp, 192.168.1.4 3200 <-> 64.21.143.23 80
02100 1 60 (T 0, # 196) ty 0 tcp, 192.168.1.4 3207 <-> 64.21.143.23 80
02100 1 60 (T 0, # 197) ty 0 tcp, 192.168.1.4 3206 <-> 64.21.143.23 80
02100 1 60 (T 0, # 198) ty 0 tcp, 192.168.1.4 3205 <-> 64.21.143.23 80
02100 1 60 (T 0, # 199) ty 0 tcp, 192.168.1.4 3204 <-> 64.21.143.23 80
02100 1 60 (T 0, # 200) ty 0 tcp, 192.168.1.4 3211 <-> 64.21.143.23 80
02100 1 60 (T 0, # 201) ty 0 tcp, 192.168.1.4 3210 <-> 64.21.143.23 80
02100 1 60 (T 0, # 202) ty 0 tcp, 192.168.1.4 3209 <-> 64.21.143.23 80
02100 1 60 (T 0, # 203) ty 0 tcp, 192.168.1.4 3208 <-> 64.21.143.23 80
02100 1 60 (T 0, # 205) ty 0 tcp, 192.168.1.4 3214 <-> 64.21.143.23 80
02100 1 60 (T 0, # 206) ty 0 tcp, 192.168.1.4 3213 <-> 64.21.143.23 80
02100 1 60 (T 0, # 207) ty 0 tcp, 192.168.1.4 3212 <-> 64.21.143.23 80
02000 0 0 (T 0, # 210) ty 0 tcp, 192.168.10.2 1219 <-> 202.12.29.56 43
02100 1 60 (T 0, # 212) ty 0 tcp, 192.168.1.4 3223 <-> 64.21.143.23 80
02100 1 60 (T 0, # 213) ty 0 tcp, 192.168.1.4 3222 <-> 64.21.143.23 80
02100 1 60 (T 0, # 214) ty 0 tcp, 192.168.1.4 3221 <-> 64.21.143.23 80
02100 1 60 (T 0, # 215) ty 0 tcp, 192.168.1.4 3220 <-> 64.21.143.23 80
02100 1 60 (T 0, # 216) ty 0 tcp, 192.168.1.4 3227 <-> 64.21.143.23 80
02100 1 60 (T 0, # 217) ty 0 tcp, 192.168.1.4 3226 <-> 64.21.143.23 80
02100 1 60 (T 0, # 218) ty 0 tcp, 192.168.1.4 3225 <-> 64.21.143.23 80
02100 1 60 (T 0, # 219) ty 0 tcp, 192.168.1.4 3224 <-> 64.21.143.23 80
02100 1 60 (T 0, # 220) ty 0 tcp, 192.168.1.4 3231 <-> 64.21.143.23 80
02100 1 60 (T 0, # 221) ty 0 tcp, 192.168.1.4 3230 <-> 64.21.143.23 80
02100 1 60 (T 0, # 222) ty 0 tcp, 192.168.1.4 3229 <-> 64.21.143.23 80
02100 1 60 (T 0, # 223) ty 0 tcp, 192.168.1.4 3228 <-> 64.21.143.23 80
02100 1 60 (T 0, # 224) ty 0 tcp, 192.168.1.4 3235 <-> 64.21.143.23 80
02100 1 60 (T 0, # 225) ty 0 tcp, 192.168.1.4 3234 <-> 64.21.143.23 80
02100 1 60 (T 0, # 226) ty 0 tcp, 192.168.1.4 3233 <-> 64.21.143.23 80
02100 1 60 (T 0, # 227) ty 0 tcp, 192.168.1.4 3232 <-> 64.21.143.23 80
02100 1 60 (T 0, # 228) ty 0 tcp, 192.168.1.4 3239 <-> 64.21.143.23 80
02100 1 60 (T 0, # 229) ty 0 tcp, 192.168.1.4 3238 <-> 64.21.143.23 80
02100 1 60 (T 0, # 230) ty 0 tcp, 192.168.1.4 3237 <-> 64.21.143.23 80
02100 1 60 (T 0, # 231) ty 0 tcp, 192.168.1.4 3236 <-> 64.21.143.23 80
02100 1 60 (T 0, # 232) ty 0 tcp, 192.168.1.4 3243 <-> 64.21.143.23 80
02100 1 60 (T 0, # 233) ty 0 tcp, 192.168.1.4 3242 <-> 64.21.143.23 80
02100 1 60 (T 0, # 234) ty 0 tcp, 192.168.1.4 3241 <-> 64.21.143.23 80
02100 1 60 (T 0, # 235) ty 0 tcp, 192.168.1.4 3240 <-> 64.21.143.23 80
02100 1 60 (T 0, # 236) ty 0 tcp, 192.168.1.4 3247 <-> 64.21.143.23 80
02100 1 60 (T 0, # 237) ty 0 tcp, 192.168.1.4 3246 <-> 64.21.143.23 80
02100 1 60 (T 0, # 238) ty 0 tcp, 192.168.1.4 3245 <-> 64.21.143.23 80
02100 1 60 (T 0, # 239) ty 0 tcp, 192.168.1.4 3244 <-> 64.21.143.23 80
02100 1 60 (T 0, # 240) ty 0 tcp, 192.168.1.4 3251 <-> 64.21.143.23 80
02100 1 60 (T 0, # 241) ty 0 tcp, 192.168.1.4 3250 <-> 64.21.143.23 80
02100 1 60 (T 0, # 242) ty 0 tcp, 192.168.1.4 3249 <-> 64.21.143.23 80
02100 1 60 (T 0, # 243) ty 0 tcp, 192.168.1.4 3248 <-> 64.21.143.23 80
02100 1 60 (T 0, # 244) ty 0 tcp, 192.168.1.4 3255 <-> 64.21.143.23 80
02100 1 60 (T 0, # 245) ty 0 tcp, 192.168.1.4 3254 <-> 64.21.143.23 80
02100 1 60 (T 0, # 246) ty 0 tcp, 192.168.1.4 3253 <-> 64.21.143.23 80
02100 1 60 (T 0, # 247) ty 0 tcp, 192.168.1.4 3252 <-> 64.21.143.23 80
02100 1 238 (T 0, # 251) ty 0 udp, 192.168.1.4 138 <-> 192.168.1.255 138
02100 2 156 (T 0, # 252) ty 0 udp, 192.168.1.3 137 <-> 192.168.1.255 137


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005d01c15758$da965b70$cd2a6ba5>