From owner-freebsd-security  Tue Jul 16 20: 3:48 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id D62D537B400; Tue, 16 Jul 2002 20:03:43 -0700 (PDT)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 8180643E6E; Tue, 16 Jul 2002 20:03:33 -0700 (PDT)
	(envelope-from marka@drugs.dv.isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1])
	by drugs.dv.isc.org (8.12.5/8.12.5) with ESMTP id g6H330Je077763;
	Wed, 17 Jul 2002 13:03:00 +1000 (EST)
	(envelope-from marka@drugs.dv.isc.org)
Message-Id: <200207170303.g6H330Je077763@drugs.dv.isc.org>
To: Michael Sharp <freebsd@ec.rr.com>
Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
From: Mark.Andrews@isc.org
Subject: Re: Dynamic Rules with IPFW 
In-reply-to: Your message of "Tue, 16 Jul 2002 21:42:48 -0400."
             <20020716214248.3fef4af2.freebsd@ec.rr.com> 
Date: Wed, 17 Jul 2002 13:03:00 +1000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


> I use Dynamic rulesets with IPFW:
> 
> ipfw add check-state
> ipfw add deny tcp from any to any established
> ipfw add allow tcp from my-net to any setup keep-state
> 
> But I also have services I need anyone on the net to get to, without me makin
> g a connection first from " my-net ". I allow such services with:
> 
> allow tcp from any to my-net 25,80,443 setup in via xl0 keep-state
> 
> This works fine for 25,80, and 443. However, when I apply the same rule for S
> SH, and login to my box remotely, about 10 minutes later, the connection just
>  dies, and it dies with every connection. Removing the keep-state option for 
> ssh effectively closes 22 obviously.  Would check-state be a better option he
> re?
> 
> Michael
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

	smtp, http and https are short lived connections with very
	little idle time.

	ssh is a long lived connection with large amounts of idle
	time.  You need to have the dynamic lifetime exceed the
	keep alive timer or allow established ssh connections to
	continue to exist.

	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message