From owner-freebsd-stable Sat Dec 8 16:41:50 2001 Delivered-To: freebsd-stable@freebsd.org Received: from ns.belenus.com (ns.belenus.com [195.27.12.132]) by hub.freebsd.org (Postfix) with ESMTP id 2F6A737B416 for ; Sat, 8 Dec 2001 16:41:38 -0800 (PST) Received: (from root@localhost) by ns.belenus.com (8.11.4/8.11.4) id fB90fbs70908 for freebsd-stable@FreeBSD.ORG.KAV; Sun, 9 Dec 2001 01:41:37 +0100 (CET) (envelope-from H@Schmalzbauer.de) Received: from server02.belenus.com (server02.belenus.com [195.27.12.126]) by ns.belenus.com (8.11.4/8.11.4) with ESMTP id fB90fbl70900 for ; Sun, 9 Dec 2001 01:41:37 +0100 (CET) (envelope-from H@Schmalzbauer.de) Received: from adm01.belenus.com ([195.27.12.70]) by server02.belenus.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id YQZ6FW28; Sun, 9 Dec 2001 01:41:31 +0100 Subject: Re: ipfw, keep-state and ssh From: Harald Schmalzbauer To: freebsd-stable@FreeBSD.ORG In-Reply-To: <20011208223731.GA28158@leviathan.inethouston.net> References: <1007816782.618.0.camel@adm01.belenus.com> <20011208223731.GA28158@leviathan.inethouston.net> Content-Type: text/plain; charset=ISO-8859-15 X-Mailer: Evolution/0.99.2 (Preview Release) Date: 08 Dec 2001 23:41:29 -0100 Message-Id: <1007858489.618.18.camel@adm01.belenus.com> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.belenus.com id fB90fbl70900 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Am Sa , 2001-12-08 um 23.37 schrieb David W. Chapman Jr.: > On Sat, Dec 08, 2001 at 12:06:22PM -0100, Harald Schmalzbauer wrote: > > Hello, > > > > today I set up a packet filter with ipfw. The last time I have used it > > was long before 4.0 so keep-state is new to me (for IPFW, I know it in > > IPFilter). *snip* > > pass? But then keep-state is useless for TCP. > > The problem is ipfw's states aren't really states, they are timers. > SSH sends a keep-alive around every 10 mins, way past the default > settings for the timer in ipfw. REALLY? Sorry for crying but this means I have to rewrite my rules again. But it explains my errors. *argh* Perhaps this should be clarified for those like me. The ones who are overflying pages when they think they know the function:-( To be precisley almost nothing works correctly. I've posted my rules before, so if anyone is interested: I removed the SA (Setup) from the rules, otherwise every connection dies after timeout. But even if I allow TCP-ACK links to set state, suddenly, I couldn't figure out when, the link dies. Even while typing. And that's not nice. OK, I'll rewrite it like "Doppelte Buchführung". The thing that comes in has to go somewhere out;-) Thanks, -Harry > > -- > David W. Chapman Jr. > dwcjr@inethouston.net Raintree Network Services, Inc. > dwcjr@freebsd.org FreeBSD Committer > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message