Date: Thu, 18 Oct 2001 09:44:09 -0700 From: "Drew Tomlinson" <drew@mykitchentable.net> To: <cjclark@alum.mit.edu> Cc: <Mark.Andrews@isc.org>, <freebsd-security@FreeBSD.ORG> Subject: Re: Dynamic IPFW Rules Message-ID: <008201c157f4$1c0c7620$cd2a6ba5@lc.ca.gov> References: <200110172350.f9HNor915316@drugs.dv.isc.org> <000d01c15777$1b9a8240$0301a8c0@bigdaddy> <20011018013856.C373@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Crist J. Clark" <cristjc@earthlink.net> To: "Drew Tomlinson" <drew@mykitchentable.net> Cc: <Mark.Andrews@isc.org>; <freebsd-security@FreeBSD.ORG> Sent: Thursday, October 18, 2001 1:38 AM Subject: Re: Dynamic IPFW Rules > On Wed, Oct 17, 2001 at 06:49:21PM -0700, Drew Tomlinson wrote: > > ----- Original Message ----- > > From: <Mark.Andrews@isc.org> > > To: "Drew Tomlinson" <drew@mykitchentable.net> > > Cc: <freebsd-security@freebsd.org> > > Sent: Wednesday, October 17, 2001 4:50 PM > > Subject: Re: Dynamic IPFW Rules > > > > > > > > > > > I have created my first firewall and it seems to be handling > > traffic > > > > properly (yayyyy!). However, I have noticed that my dynamic rules > > don't > > > > ever seem to expire. > > > > > > [snip] > > > > > > > 02100 1 60 (T 0, # 0) ty 0 tcp, 192.168.1.4 3139 <-> 64.21.143.23 > > 80 > > > > > > This is expired (T 0), just not removed. > > > > OK, thanks. Is there a way to remove those rules that have expired? > > You can remove the parent rule. IIRC, they get removed if they get > hit. If you reach the limit, I believe it starts to overwrite expired > rules. I would have to look at the code more closely to remember. > > Another option is to make a shell script or alias that drops expired > rules, > > ipfw show | awk -F'[ ,]' '$5 != 0 { print }' > > Does it. I have a longer script that does this and also prints rules > by interface, OK so if I understand correctly, the rules stay in ipfw show even when expired until net.inet.ip.fw.dyn_max is reached. Then new rules overwrite expired rules, correct? So then my firewall is working correctly based on code for 4.4-RELEASE but there is new code in -CURRENT that will be merged into the -STABLE branch sometime in the future that will remove the expired rules from the output of ipfw show? And one more question: Where would I have found information on the output of the dynamic rules? In other words, how would (should) I have known that (T 0) was an expired rule? Thank you for the explaination. I really enjoy *understanding* why things work the way they do instead of just accepting that they work. Drew [...] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008201c157f4$1c0c7620$cd2a6ba5>