Date: Thu, 18 Oct 2001 09:44:09 -0700 From: "Drew Tomlinson" <drew@mykitchentable.net> To: <cjclark@alum.mit.edu> Cc: <Mark.Andrews@isc.org>, <freebsd-security@FreeBSD.ORG> Subject: Re: Dynamic IPFW Rules Message-ID: <008201c157f4$1c0c7620$cd2a6ba5@lc.ca.gov> References: <200110172350.f9HNor915316@drugs.dv.isc.org> <000d01c15777$1b9a8240$0301a8c0@bigdaddy> <20011018013856.C373@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message -----
From: "Crist J. Clark" <cristjc@earthlink.net>
To: "Drew Tomlinson" <drew@mykitchentable.net>
Cc: <Mark.Andrews@isc.org>; <freebsd-security@FreeBSD.ORG>
Sent: Thursday, October 18, 2001 1:38 AM
Subject: Re: Dynamic IPFW Rules
> On Wed, Oct 17, 2001 at 06:49:21PM -0700, Drew Tomlinson wrote:
> > ----- Original Message -----
> > From: <Mark.Andrews@isc.org>
> > To: "Drew Tomlinson" <drew@mykitchentable.net>
> > Cc: <freebsd-security@freebsd.org>
> > Sent: Wednesday, October 17, 2001 4:50 PM
> > Subject: Re: Dynamic IPFW Rules
> >
> >
> > >
> > > > I have created my first firewall and it seems to be handling
> > traffic
> > > > properly (yayyyy!). However, I have noticed that my dynamic
rules
> > don't
> > > > ever seem to expire.
> > >
> > > [snip]
> > >
> > > > 02100 1 60 (T 0, # 0) ty 0 tcp, 192.168.1.4 3139 <->
64.21.143.23
> > 80
> > >
> > > This is expired (T 0), just not removed.
> >
> > OK, thanks. Is there a way to remove those rules that have expired?
>
> You can remove the parent rule. IIRC, they get removed if they get
> hit. If you reach the limit, I believe it starts to overwrite expired
> rules. I would have to look at the code more closely to remember.
>
> Another option is to make a shell script or alias that drops expired
> rules,
>
> ipfw show | awk -F'[ ,]' '$5 != 0 { print }'
>
> Does it. I have a longer script that does this and also prints rules
> by interface,
OK so if I understand correctly, the rules stay in ipfw show even when
expired until net.inet.ip.fw.dyn_max is reached. Then new rules
overwrite expired rules, correct? So then my firewall is working
correctly based on code for 4.4-RELEASE but there is new code
in -CURRENT that will be merged into the -STABLE branch sometime in the
future that will remove the expired rules from the output of ipfw show?
And one more question: Where would I have found information on the
output of the dynamic rules? In other words, how would (should) I have
known that (T 0) was an expired rule?
Thank you for the explaination. I really enjoy *understanding* why
things work the way they do instead of just accepting that they work.
Drew
[...]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008201c157f4$1c0c7620$cd2a6ba5>